Description

PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes."

INFO

Published Date :

2026-01-05T00:00:00.000Z

Last Modified :

2026-01-05T21:35:02.790Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-65922 vulnerability.

Vendors Products
Planka
  • Planka
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-65922.

URL Resource
https://github.com/09OHs/CVE/blob/e67290bef68d35980d10fd87c9c4403d8e40fc2c/CVE-2025-65922/CVE-2025-65922.pdf cve-icon cve-icon
https://github.com/plankanban/planka cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact