Home > Vulnerability Database > CVE-2025-62716

Mend.io Vulnerability Database

CVE-2025-62716

Good to know:

Date: October 24, 2025

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This results in a cross-site scripting (XSS) vulnerability, enabling attackers to execute arbitrary JavaScript in the victim’s browser. The issue can be exploited without authentication and has severe impact, including information disclosure, and privilege escalation and modifications of administrative settings. This issue has been patched in version 1.1.0.

Severity Score

8.1

Related Resources (3)

Url: https://github.com/makeplane/plane/security/advisories/GHSA-6fj7-xgpg-mj6f

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62716

Url: https://www.mend.io/vulnerability-database/CVE-2025-62716

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Top Fix

Upgrade Version

Upgrade to version https://github.com/makeplane/plane.git - v1.1.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62716

Good to know:

Date: October 24, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?