Stored XSS Vulnerability in Plane Project Management Software
CVE-2025-55203

5.4MEDIUM

Key Information:

Vendor: Makeplane
Status: Plane
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-55203?

An open-source project management tool, Plane, has a stored cross-site scripting (XSS) vulnerability in the description_html field prior to version 0.28.0. This flaw enables attackers to inject malicious JavaScript code, which is then stored and executed in the browsers of users accessing the compromised content. The lack of proper sanitization and escaping in the description_html field allows crafted JavaScript payloads to be saved in the database. When an unsuspecting user views this content, their browser executes the injected code, creating risks such as session hijacking, sensitive data theft, or redirection to malicious websites. Additionally, this vulnerability may be combined with Cross-Site Request Forgery (CSRF) attacks to perform unauthorized actions or facilitate malware distribution. Users are strongly advised to update to version 0.28.0 or later for protection against this vulnerability.

Affected Version(s)

plane < 0.28.0

References

https://github.com/makeplane/plane/security/advisories/GH...

x_refsource_CONFIRM

https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyI...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Aug 8, 2025

Makeplane

What is CVE-2025-55203?

Affected Version(s)

References

CVSS V3.1

Timeline