Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

makeplane — Vulnerabilities & Security Advisories 14

Browse all 14 CVE security advisories affecting makeplane. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Makeplane provides collaborative software development tools, primarily serving DevOps teams for project management and code collaboration. Historically, the platform has been vulnerable to multiple remote code execution (RCE) flaws, cross-site scripting (XSS) attacks, and privilege escalation issues, accounting for most of its 14 recorded CVEs. Security researchers have identified consistent patterns in input validation failures and insufficient access controls across different versions. While no major public security incidents have been widely documented, the accumulation of CVEs suggests ongoing challenges in secure coding practices, particularly in handling user-supplied data and maintaining proper privilege boundaries between different user roles.

Top products by makeplane: plane
CVE IDTitleCVSSSeverityPublished
CVE-2026-39843 Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching — planeCWE-918 7.7 High2026-04-09
CVE-2026-27949 Plane Exposes User Email (PII and part of credential) in GET Parameter — planeCWE-200 2.0 Low2026-04-07
CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint — planeCWE-639 6.5 Medium2026-04-07
CVE-2026-30242 Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer — planeCWE-918 8.5 High2026-03-06
CVE-2026-30244 Plane: Unauthenticated Workspace Member Information Disclosure — planeCWE-284 7.5 High2026-03-06
CVE-2026-27706 Plane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" Feature — planeCWE-918 7.7 High2026-02-25
CVE-2026-27705 Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch — planeCWE-639 6.5AIMediumAI2026-02-25
CVE-2025-69284 In plane.io, a Guest User to a Workspace can still be able to see list of members — planeCWE-284 4.3 Medium2026-01-02
CVE-2025-62716 Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter — planeCWE-79 8.1 High2025-10-24
CVE-2025-55203 Plane Stored XSS in Add Work Item Functionality — planeCWE-79 5.4 Medium2025-08-15
CVE-2025-48070 Plane has insecure permissions in UserSerializer — planeCWE-276 3.5 Low2025-05-21
CVE-2025-21616 Plane has a Cross-site scripting (XSS) via SVG image upload — planeCWE-79 5.4 Medium2025-01-06
CVE-2024-47830 Plane allows server side request forgery via /_next/image endpoint — planeCWE-918 9.3 Critical2024-10-11
CVE-2024-31461 Plane Server-Side Request Forgery (SSRF) Vulnerability — planeCWE-918 9.1 Critical2024-04-10

This page lists every published CVE security advisory associated with makeplane. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.