CVE-2026-39843

Source
https://cve.org/CVERecord?id=CVE-2026-39843
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39843.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39843
Aliases
  • GHSA-9fr2-pprw-pp9j
Published
2026-04-09T15:43:34.963Z
Modified
2026-07-08T08:13:03.359524454Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching
Details

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetchandencodefavicon() still uses requests.get(faviconurl, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39843.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/makeplane/plane

Affected ranges

Type
GIT
Repo
https://github.com/makeplane/plane
Events
Database specific
{
    "cpe": "cpe:2.3:a:plane:plane:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.28.0"
        },
        {
            "fixed": "1.3.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39843.json"