CVE-2025-62716

HIGH

Plane <1.1.0 - XSS

Title source: llm

Description

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.

References (1)

[Vendor Advisory] https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f

Scores

CVSS v3 8.1

EPSS 0.0004

EPSS Percentile 13.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601 CWE-79

Status published

Products (1)

makeplane/plane < 1.1.0

Published Oct 24, 2025

Tracked Since Feb 18, 2026