Executive Summary

CVE-2026-10850 is a stored cross-site scripting (XSS) vulnerability in Plane CE version 1.3.1. It allows a low-privileged project member, including guests with an API token, to inject arbitrary HTML or JavaScript code into the description_html field when creating an intake work item through the API v1 intake endpoint.

The backend stores this raw HTML without applying the usual server-side sanitization that is used for regular issue serializers. As a result, when a privileged user views the intake item in the Plane user interface, the malicious code executes in their browser session.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the execution of malicious scripts in the browser of privileged users when they view the intake work items containing the injected code.

Such script execution can expose sensitive data accessible to the privileged user or perform unauthorized actions on their behalf within the Plane platform.

Since the vulnerability is remotely exploitable and requires only low privileges to inject the payload, it poses a significant risk to the confidentiality and integrity of project data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a low-privileged project member submitting arbitrary HTML/JS in the description_html field via the API v1 intake endpoint. Detection would involve monitoring API requests to this endpoint for suspicious or unexpected HTML/JavaScript content in the description_html field.

Since the vulnerability is related to stored cross-site scripting (XSS) in intake work items, you can detect it by inspecting intake work items created through the API for embedded HTML or JavaScript payloads.

Specific commands are not provided in the available resources, but general approaches include:

• Use API logs or network traffic capture tools (e.g., tcpdump, Wireshark) to filter requests to the API v1 intake endpoint and check the description_html field for suspicious scripts.
• Query the Plane database or API for intake work items and review the description_html field for embedded script tags or unusual HTML content.
• Use web application security scanners or custom scripts to test the intake endpoint by submitting payloads and observing if they are stored and executed.

Useful 0 Not Useful 0

Mitigation Strategies

As no patch is currently available for this vulnerability, immediate mitigation steps focus on limiting exposure and risk.

• Restrict API access to trusted users only, especially limiting low-privileged project members or guests from creating intake work items via the API.
• Implement additional input validation or sanitization on the description_html field before accepting intake work items, if possible.
• Educate privileged users to be cautious when reviewing intake work items, especially those created via the API, to avoid executing malicious scripts.
• Monitor and audit intake work items regularly for suspicious HTML or JavaScript content.
• Consider temporarily disabling or restricting the API v1 intake endpoint if feasible until a patch is released.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows a low-privileged user to inject malicious HTML/JavaScript that executes in the browser of privileged users, potentially exposing sensitive data or enabling unauthorized actions.

Such exposure of sensitive data or unauthorized actions could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

However, the provided information does not explicitly detail the impact on compliance with these standards.

Useful 0 Not Useful 0