{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39843", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.377Z", "datePublished": "2026-04-09T15:43:34.963Z", "dateUpdated": "2026-04-13T20:05:32.594Z"}, "containers": {"cna": {"title": "Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j"}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"version": ">= 0.28.0, < 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T15:43:34.963Z"}, "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0."}], "source": {"advisory": "GHSA-9fr2-pprw-pp9j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:05:19.321734Z", "id": "CVE-2026-39843", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:05:32.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39843", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:05:19.321734Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:05:29.218Z"}}], "cna": {"title": "Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching", "source": {"advisory": "GHSA-9fr2-pprw-pp9j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "makeplane", "product": "plane", "versions": [{"status": "affected", "version": ">= 0.28.0, < 1.3.0"}]}], "references": [{"url": "https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j", "name": "https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T15:43:34.963Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39843", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:05:32.594Z", "dateReserved": "2026-04-07T19:13:20.377Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T15:43:34.963Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*", "matchCriteriaId": "3970711C-9965-41A8-97F4-A27EE7B3EF01", "versionEndExcluding": "1.3.0", "versionStartIncluding": "0.28.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0."}], "id": "CVE-2026-39843", "lastModified": "2026-04-17T20:08:53.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T16:16:31.087", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.28.0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "plane", "source": "cna", "vendor": "makeplane"}, "product": "plane", "vendor": "makeplane"}], "analysis": {"en": {"generated_at": "2026-04-09T17:25:08.351843+00:00", "value": {"mitigation_remediation": ["Upgrade Plane to version 1.3.0 or newer to apply the fix.", "If an immediate upgrade is not possible, block or restrict the Add link functionality for authenticated users with low privileges to prevent SSRF exploitation.", "As a temporary measure, isolate the Plane server from internal networks or implement outbound firewall rules to deny connections to private IP ranges."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery that can expose internal resources"}, "threat_synthesis": {"affected_systems": "The issue affects Plane versions starting at 0.28.0 up to, but not including, 1.3.0. All installations of makeplane Plane within that range are vulnerable unless protected by additional network controls. Version 1.3.0 and later contain a fix that validates the favicon URL and blocks redirects to private addresses.", "description_and_impact": "A recent vulnerability in Plane, an open\u2011source project management application, allows an authenticated attacker with low privileges to exploit an incomplete server\u2011side request forgery (SSRF) in the favicon fetching process. When an attacker adds a link element that redirects to a private IP via the Add link interface, the backend fetches the referenced favicon using a default HTTP client that follows redirects without validation. This means the server can be instructed to retrieve internal resources, providing read access to potentially sensitive data on internal networks. The flaw, classified as CWE\u2011918, permits the attacker to read arbitrary internal content as the Plane instance, resulting in confidentiality compromises.", "risk_and_exploitability": "The CVSS base score is 7.7, indicating high severity. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated but only with low privileges and to create a link that triggers the SSRF. If internal network defenses permit outbound requests and the application does not restrict target URLs, an attacker could read files, query internal services, or exfiltrate data. Given the lack of high complexity or privilege escalation, the risk is primarily exposure of internal resources; however, the potential impact is significant for sensitive infrastructure."}}}}, "created": "2026-04-10T08:53:11.975602+00:00", "updated": "2026-04-10T09:32:24.525091+00:00", "vendors": ["makeplane", "makeplane$PRODUCT$plane"]}