PatchSiren cyber security CVE debrief
CVE-2026-10850 Plane CVE debrief
CVE-2026-10850 is a vulnerability in Plane CE 1.3.1 that allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint. This vulnerability has a CVSS score of 6.9, indicating a medium severity. The vulnerability exists due to insufficient input validation and sanitization in the description_html field, potentially leading to security issues such as cross-site scripting (XSS). Users of Plane CE 1.3.1, particularly those with low-privileged project members, should be aware of this vulnerability and take necessary precautions to prevent exploitation.
- Vendor
- Plane
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-23
Who should care
Users of Plane CE 1.3.1, particularly those with low-privileged project members, should be aware of this vulnerability and take necessary precautions to prevent exploitation. This includes updating to a patched version of Plane CE, restricting access to the intake work item creation endpoint, implementing input validation and sanitization for the description_html field, and monitoring for suspicious activity on the intake work item creation endpoint.
Technical summary
The vulnerability exists in the description_html field of the intake work item creation endpoint in Plane CE 1.3.1. An attacker with low privileges can inject arbitrary HTML/JS code, potentially leading to security issues such as cross-site scripting (XSS). The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
Medium priority should be given to addressing this vulnerability, as it allows for the injection of arbitrary HTML/JS code.
Recommended defensive actions
- Update to a patched version of Plane CE
- Restrict access to the intake work item creation endpoint
- Implement input validation and sanitization for the description_html field
- Monitor for suspicious activity on the intake work item creation endpoint
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-17T15:16:42.440Z and was last modified on 2026-06-23T14:47:07.490Z. The NVD entry is currently Analyzed. This vulnerability affects Plane CE 1.3.1, and its description indicates that a low-privileged project member can submit arbitrary HTML/JS in the description_html field. The CVSS score is 6.9, indicating medium severity. Users should verify their deployments and review official advisories for mitigation guidance.
Official resources
-
CVE-2026-10850 CVE record
CVE.org
-
CVE-2026-10850 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Product
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T15:16:42.440Z and has not been modified since then. The NVD entry is currently Analyzed.