cvedb.io
CVE-2026-10850
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-06-17T15:16:42.440 · Last modified 2026-06-23T14:47:07.490

Summary

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

Affected products

plane — plane

Does this affect you?

Add your gear to cvedb and we'll alert you only when plane ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.