CVE-2026-39843

HIGH

Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching

Title source: cna

Description

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.

References (1)

[X_Refsource_Confirm] https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j

Scores

CVSS v3 7.7

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-918

Status published

Products (2)

makeplane/plane >= 0.28.0, < 1.3.0

plane/plane 0.28.0 - 1.3.0

Published Apr 09, 2026

Tracked Since Apr 09, 2026