Description

Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users’ browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application’s database. When another user views the affected content, the injected code executes in their browser, running in the application’s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0.

INFO

Published Date :

2025-08-15T15:06:00.636Z

Last Modified :

2025-08-15T19:09:18.212Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55203 vulnerability.

Vendors Products
Makeplane
  • Plane
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55203.

URL Resource
https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=sharing cve-icon cve-icon
https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact