XSS in Plane

CVE-2026-10850

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.

Vulnerability class: XSS (Cross-Site Scripting)