← Back

CVE-2026-27706

nvd nist
Published: Feb 25, 2026Modified: Feb 27, 2026

JSON object

Loading...
7.7
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Exploitability: 3.1 / Impact: 4.0
Source: security-advisories@github.com (Secondary)

Description

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.

Affected (1)

Products: Plane: Plane
Plane
1 product
Plane
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Plane
Before 1.2.2

Related CWEs

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.