CVE-2026-30242

Published: Mar 06, 2026 Last Modified: Mar 10, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

EPSS Score Trend (Last 9 Days)

918

Server-Side Request Forgery (SSRF)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
View CWE Details
Application

Plane by Plane

Product Information
Vendor Plane
Product Plane
Version Range Affected
To 1.2.3 (exclusive)
cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/makeplane/plane/releases/tag/v1.2.3
https://github.com/makeplane/plane/releases/tag/v1.2.3
https://github.com/makeplane/plane/security/advisories/GHSA…
https://github.com/makeplane/plane/security/advisories/GHSA-fpx8-73gf-7x73