CVE-2025-21616

MEDIUM

Plane < 0.23.0 - Authenticated Stored Cross-Site Scripting via SVG Profile Image Upload

Title source: llm
STIX 2.1

Description

Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.

References (1)

Core 1
Core References

Scores

CVSS v3 5.4
EPSS 0.0026
EPSS Percentile 17.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
plane/plane < 0.23.0
Published Jan 06, 2025
Tracked Since Feb 18, 2026