PatchSiren

makeplane CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH makeplane CVE published 2026-06-10

CVE-2026-46558

CVE-2026-46558 is a high-severity vulnerability in Plane, an open-source project management tool. Prior to version 1.3.1, a cross-workspace asset authorization bypass allows any authenticated user to read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.

MEDIUM makeplane CVE published 2026-05-20

CVE-2026-40102

CVE-2026-40102 affects Plane versions 1.3.0 and below and is fixed in 1.3.1. The issue is an ORM Field Reference Injection in SavedAnalyticEndpoint: a user-controlled segment query parameter was passed directly into a Django F() expression without the allowlist validation used by the regular AnalyticsEndpoint. An authenticated workspace MEMBER could craft a request to the saved analytics endpoint and caus [truncated]