Vulnerability Details CVE-2025-48070
Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.7%
CVSS Severity
CVSS v3 Score 3.5
References
Products affected by CVE-2025-48070
-
cpe:2.3:a:plane:plane:0.1
-
cpe:2.3:a:plane:plane:0.2
-
cpe:2.3:a:plane:plane:0.2.1
-
cpe:2.3:a:plane:plane:0.3
-
cpe:2.3:a:plane:plane:0.3.1
-
cpe:2.3:a:plane:plane:0.4
-
cpe:2.3:a:plane:plane:0.5
-
cpe:2.3:a:plane:plane:0.6
-
cpe:2.3:a:plane:plane:0.7
-
cpe:2.3:a:plane:plane:0.7.1
-
cpe:2.3:a:plane:plane:0.8
-
cpe:2.3:a:plane:plane:0.9