Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Plane Project Management Tool: Data Theft Risk Through Malicious Links
CVE-2026-27706
Summary
An attacker with access to the tool can use the 'Add Link' feature to steal sensitive data from internal services and cloud providers by sending malicious requests. This can put confidential information at risk. Update to version 1.2.2 to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| plane | plane | <= 1.2.2 | – |
Original title
Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw all...
Original description
Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.
nvd CVSS3.1
7.7
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/makeplane/plane/releases/tag/v1.2.2 Product Release Notes
- https://github.com/makeplane/plane/security/advisories/GHSA-jcc6-f9v6-f7jw Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026