CVE-2025-48070 – Plane UserSerializer Account Takeover Vulnerability

CVE ID : CVE-2025-48070

Published : May 21, 2025, 10:15 p.m. | 58 minutes ago

Description : Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue.

Severity: 3.5 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…