Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetchandencodefavicon() still uses requests.get(faviconurl, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39843.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-918"
]
}