CVE-2026-39843
🟡 Monitoruj
Wykorzystanie luk w Plane pozwala na atak typu Server-Side Request Forgery przez uwierzytelnionego napastnika.
CVSS
7.7
EPSS
0.0%
Exploit
poc
Vendor
plane
Opis źródłowy (NVD)
Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.
exploit ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-09 16:16:31 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-17 20:08:53 UTC |
Referencje
- https://github.com/makeplane/plane/security/advisories/GHSA-9fr2-pprw-pp9j (security-advisories@github.com) [Exploit, Vendor Advisory]