Arbitrary Code Injection Vulnerability in Plane by Fluid Attacks
CVE-2026-10850

6.9MEDIUM

Key Information:

Vendor: Plane
Status: Plane
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-10850?

In Plane CE version 1.3.1, a vulnerability exists that allows a low-privileged project member to exploit the API v1 intake endpoint. By submitting arbitrary HTML and JavaScript code within the description_html field when creating an intake work item, an attacker could potentially execute malicious scripts, compromising the integrity of the application and its data. This highlights the importance of implementing strict validation and sanitization measures within APIs to prevent unauthorized actions and protect against potential exploitation.

Affected Version(s)

Plane Windows 1.3.1

References

https://fluidattacks.com/es/advisories/earth

third-party-advisory

https://github.com/makeplane/plane

product

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Oscar Naveda

CVE-2026-10850 Data

JSON