Vulnerability Description
Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users’ browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application’s database. When another user views the affected content, the injected code executes in their browser, running in the application’s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://drive.google.com/file/d/1lQzQJ9Eun6xmcxyyAkr5ORyIrfw9ys5w/view?usp=shari
- https://github.com/makeplane/plane/security/advisories/GHSA-rwjc-xhh3-m9m9
FAQ
What is CVE-2025-55203?
CVE-2025-55203 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker...
How severe is CVE-2025-55203?
CVE-2025-55203 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55203?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.