Plunk
CVE-2026-32096
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.
AnalysisAI
SSRF in Plunk email platform before 0.7.0.
Technical ContextAI
CWE-918.
RemediationAI
Update.
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers b
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (X
Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today