Home / Vulnerability Intelligence / CVE-2026-30242

CVE-2026-30242 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: March 9, 2026

Plane - Server Side Request Forgery

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

Plane < 1.2.3 contains a server-side request forgery caused by insufficient webhook URL validation allowing workspace ADMIN attackers to create webhooks pointing to internal network addresses, enabling SSRF with full response read-back.

Severity & Score

Severity: High

CVSS Score: 8.5

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Attackers with workspace ADMIN role can perform SSRF to internal network addresses and read full responses, potentially exposing sensitive internal data.

Mitigation

Update to version 1.2.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-30242 - High (8.5) Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to priv... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30242/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30242
Severity: High
CVSS Score: 8.5
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 2.8%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days