CVE

CVE-2025-62716

Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter

CVE

CVE-2025-62716

Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.1

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62716.json, https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f, https://nvd.nist.gov/vuln/detail/CVE-2025-62716

Severity

8.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.1

EPSS Probability

0.00082%

EPSS Percentile

0.24361%

Introduced Version

Fix Available

e710f5b278ed114b7e1f252333c129e885692e4b

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-62716

CVE-2025-62716

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

8.1

Basic Information

Fix Critical Vulnerabilities Instantly