{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/project-management/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-39843"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-39843","plane","project-management"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePlane is an open-source project management tool. Versions prior to 1.3.0 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-39843. This vulnerability stems from an incomplete fix for GHSA-jcc6-f9v6-f7jw. An authenticated attacker with low privileges can exploit this vulnerability by supplying a crafted HTML page containing a \u003ccode\u003e\u0026lt;link\u0026gt;\u003c/code\u003e tag that redirects to a private IP address when using the \u0026ldquo;Add link\u0026rdquo; functionality. The vulnerability exists within the \u003ccode\u003efetch_and_encode_favicon()\u003c/code\u003e function, which uses \u003ccode\u003erequests.get(favicon_url, ...)\u003c/code\u003e and follows redirects by default. This allows the attacker to force the server to make requests to internal resources. The vulnerability is resolved in version 1.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a Plane instance with low-privilege credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing a \u003ccode\u003e\u0026lt;link\u0026gt;\u003c/code\u003e tag in the \u003ccode\u003e\u0026lt;head\u0026gt;\u003c/code\u003e section. The \u003ccode\u003ehref\u003c/code\u003e attribute of this tag points to a redirect URL.\u003c/li\u003e\n\u003cli\u003eThe redirect URL points to a private IP address or internal service (e.g., \u003ccode\u003ehttp://192.168.1.100/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026ldquo;Add link\u0026rdquo; functionality in Plane to add the crafted HTML page\u0026rsquo;s URL to a project or task.\u003c/li\u003e\n\u003cli\u003ePlane\u0026rsquo;s \u003ccode\u003efetch_and_encode_favicon()\u003c/code\u003e function attempts to fetch the favicon from the supplied URL.\u003c/li\u003e\n\u003cli\u003eDue to the redirect in the malicious HTML page, the server-side request is redirected to the private IP address specified in the \u003ccode\u003ehref\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe server fetches content from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker can view the response from the internal resource, potentially revealing sensitive information or allowing further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an authenticated, low-privilege attacker to read internal resources that the Plane server has access to. This could lead to the exposure of sensitive data, such as configuration files, internal API endpoints, or other confidential information. The number of potential victims is equal to the number of organizations using vulnerable versions of the Plane project management tool. The severity of the impact depends on the sensitivity of the information exposed and the attacker\u0026rsquo;s ability to leverage the exposed information for further attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Plane to version 1.3.0 or later to patch CVE-2026-39843.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests originating from the Plane application to internal IP addresses, especially those in the private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Use the Sigma rule \u003ccode\u003eDetect Plane SSRF via Internal IP Request\u003c/code\u003e to identify such requests.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and restrict the Plane server\u0026rsquo;s access to only necessary internal resources.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional input validation and sanitization measures to prevent the injection of malicious URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T16:16:31Z","date_published":"2026-04-09T16:16:31Z","id":"/briefs/2026-04-plane-ssrf/","summary":"Plane project management tool versions before 1.3.0 are vulnerable to Server-Side Request Forgery (SSRF), allowing authenticated low-privilege attackers to read internal resources by exploiting the favicon fetch functionality.","title":"Plane Project Management Tool SSRF Vulnerability (CVE-2026-39843)","url":"https://feed.craftedsignal.io/briefs/2026-04-plane-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Project-Management","version":"https://jsonfeed.org/version/1.1"}