CVE-2025-62716
HIGHPlane < 1.1.0 - Unauthenticated Open Redirect and Cross-Site Scripting via next_path Parameter
Title source: llmDescription
Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f
Scores
CVSS v3
8.1
EPSS
0.0027
EPSS Percentile
18.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
CWE-79
Status
published
Products (1)
makeplane/plane
< 1.1.0
Published
Oct 24, 2025
Tracked Since
Feb 18, 2026