Vulnerability Details CVE-2026-30242
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.4%
CVSS Severity
CVSS v3 Score 8.5
References
Products affected by CVE-2026-30242
-
cpe:2.3:a:plane:plane:-
-
cpe:2.3:a:plane:plane:0.1
-
cpe:2.3:a:plane:plane:0.2
-
cpe:2.3:a:plane:plane:0.2.1
-
cpe:2.3:a:plane:plane:0.23.0
-
cpe:2.3:a:plane:plane:0.23.1
-
cpe:2.3:a:plane:plane:0.24.0
-
cpe:2.3:a:plane:plane:0.24.1
-
cpe:2.3:a:plane:plane:0.25.0
-
cpe:2.3:a:plane:plane:0.25.1
-
cpe:2.3:a:plane:plane:0.25.2
-
cpe:2.3:a:plane:plane:0.25.3
-
cpe:2.3:a:plane:plane:0.26.0
-
cpe:2.3:a:plane:plane:0.26.1
-
cpe:2.3:a:plane:plane:0.27.0
-
cpe:2.3:a:plane:plane:0.27.1
-
cpe:2.3:a:plane:plane:0.28.0
-
cpe:2.3:a:plane:plane:0.3
-
cpe:2.3:a:plane:plane:0.3.1
-
cpe:2.3:a:plane:plane:0.4
-
cpe:2.3:a:plane:plane:0.5
-
cpe:2.3:a:plane:plane:0.6
-
cpe:2.3:a:plane:plane:0.7
-
cpe:2.3:a:plane:plane:0.7.1
-
cpe:2.3:a:plane:plane:0.8
-
cpe:2.3:a:plane:plane:0.9
-
cpe:2.3:a:plane:plane:1.0.0
-
cpe:2.3:a:plane:plane:1.1.0
-
cpe:2.3:a:plane:plane:1.2.0
-
cpe:2.3:a:plane:plane:1.2.1