Server-Side Request Forgery Vulnerability in Plane Project Management Tool
CVE-2026-39843

7.7HIGH

Key Information:

Vendor: Makeplane
Status: Plane
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-39843?

The Plane project management tool, from versions 0.28.0 to before 1.3.0, suffers from an incomplete remediation of a previously identified vulnerability. This flaw allows an authenticated attacker with low privileges to conduct a Server-Side Request Forgery attack. Specifically, the issue arises when a normal HTML page contains a link tag pointing to a private IP address, which an attacker can exploit by supplying it through an 'Add link' feature. Although the redirect validation for the main page URL is enforced, the favicon fetch path remains vulnerable due to the use of requests.get(favicon_url, ...) that does not properly handle redirects. The vulnerability has been addressed in version 1.3.0.

Affected Version(s)

plane >= 0.28.0, < 1.3.0

References

https://github.com/makeplane/plane/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39843 Data

JSON

Makeplane

What is CVE-2026-39843?

Affected Version(s)

References

CVSS V3.1

Timeline