Skip to main content

Plunk CVE-2026-34975

| EUVDEUVD-2026-19359 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-04-06 GitHub_M
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 20:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.8.0
EUVD ID Assigned
Apr 06, 2026 - 16:45 euvd
EUVD-2026-19359
Analysis Generated
Apr 06, 2026 - 16:45 vuln.today
CVE Published
Apr 06, 2026 - 16:10 nvd
HIGH 8.5

DescriptionGitHub Advisory

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.

AnalysisAI

CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.

Technical ContextAI

Plunk is an open-source email platform leveraging Amazon Web Services Simple Email Service (AWS SES) for message delivery. The vulnerability resides in SESService.ts, where raw MIME (Multipurpose Internet Mail Extensions) message construction occurs through string interpolation. MIME messages use CRLF sequences (\r\n) as header delimiters per RFC 5322. The affected code path accepted user-supplied values for sender display name, subject line, custom header key-value pairs, and attachment filenames without validating against embedded CRLF characters. This is classified as CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers/Email Headers), a header injection vulnerability class. The CPE identifier cpe:2.3:a:useplunk:plunk confirms all versions prior to 0.8.0 of the useplunk/plunk application are affected. Interestingly, the codebase already implemented CRLF validation for the contentId field, indicating developers understood the risk but failed to apply consistent sanitization across all user-controlled MIME inputs.

RemediationAI

Upgrade to Plunk version 0.8.0 or later, which implements schema-level input validation rejecting carriage return and line feed characters in from.name, subject, custom header keys/values, and attachment filename fields. The fix extends existing contentId validation patterns to all user-controlled MIME inputs, preventing CRLF sequences from reaching the raw message construction logic. Organizations should review the GitHub security advisory at https://github.com/useplunk/plunk/security/advisories/GHSA-2mvm-rg5v-7hfq for upgrade instructions and verify the patch resolves the issue in their deployment environment. As an interim mitigation for environments unable to immediately upgrade, implement API gateway or application-layer filtering to reject requests containing \r or \n characters in the affected fields, though this workaround may introduce edge cases with legitimate use of special characters. Conduct post-upgrade validation by testing API calls with CRLF-embedded payloads to confirm rejection, and audit historical email logs for suspicious header patterns indicating potential prior exploitation.

Share

CVE-2026-34975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy