CVE-2025-62716 HIGH

CVE-2025-62716: Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter

Vendor Makeplane
Product plane
Weakness CWE-79 · XSS
Published October 24, 2025
Last update October 24, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.

Key dates

02Disclosure timeline

October 24, 2025 CVE published
October 24, 2025 Record updated