PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10850 Plane CVE debrief

CVE-2026-10850 is a vulnerability in Plane CE 1.3.1 that allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint. This vulnerability has a CVSS score of 6.9, indicating a medium severity. The vulnerability exists due to insufficient input validation and sanitization in the description_html field, potentially leading to security issues such as cross-site scripting (XSS). Users of Plane CE 1.3.1, particularly those with low-privileged project members, should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Vendor
Plane
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-23
Advisory published
2026-06-17
Advisory updated
2026-06-23

Who should care

Users of Plane CE 1.3.1, particularly those with low-privileged project members, should be aware of this vulnerability and take necessary precautions to prevent exploitation. This includes updating to a patched version of Plane CE, restricting access to the intake work item creation endpoint, implementing input validation and sanitization for the description_html field, and monitoring for suspicious activity on the intake work item creation endpoint.

Technical summary

The vulnerability exists in the description_html field of the intake work item creation endpoint in Plane CE 1.3.1. An attacker with low privileges can inject arbitrary HTML/JS code, potentially leading to security issues such as cross-site scripting (XSS). The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Medium priority should be given to addressing this vulnerability, as it allows for the injection of arbitrary HTML/JS code.

Recommended defensive actions

  • Update to a patched version of Plane CE
  • Restrict access to the intake work item creation endpoint
  • Implement input validation and sanitization for the description_html field
  • Monitor for suspicious activity on the intake work item creation endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T15:16:42.440Z and was last modified on 2026-06-23T14:47:07.490Z. The NVD entry is currently Analyzed. This vulnerability affects Plane CE 1.3.1, and its description indicates that a low-privileged project member can submit arbitrary HTML/JS in the description_html field. The CVSS score is 6.9, indicating medium severity. Users should verify their deployments and review official advisories for mitigation guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T15:16:42.440Z and has not been modified since then. The NVD entry is currently Analyzed.