Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.
AnalysisAI
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.
Technical ContextAI
Plunk is an open-source email platform leveraging Amazon Web Services Simple Email Service (AWS SES) for message delivery. The vulnerability resides in SESService.ts, where raw MIME (Multipurpose Internet Mail Extensions) message construction occurs through string interpolation. MIME messages use CRLF sequences (\r\n) as header delimiters per RFC 5322. The affected code path accepted user-supplied values for sender display name, subject line, custom header key-value pairs, and attachment filenames without validating against embedded CRLF characters. This is classified as CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers/Email Headers), a header injection vulnerability class. The CPE identifier cpe:2.3:a:useplunk:plunk confirms all versions prior to 0.8.0 of the useplunk/plunk application are affected. Interestingly, the codebase already implemented CRLF validation for the contentId field, indicating developers understood the risk but failed to apply consistent sanitization across all user-controlled MIME inputs.
RemediationAI
Upgrade to Plunk version 0.8.0 or later, which implements schema-level input validation rejecting carriage return and line feed characters in from.name, subject, custom header keys/values, and attachment filename fields. The fix extends existing contentId validation patterns to all user-controlled MIME inputs, preventing CRLF sequences from reaching the raw message construction logic. Organizations should review the GitHub security advisory at https://github.com/useplunk/plunk/security/advisories/GHSA-2mvm-rg5v-7hfq for upgrade instructions and verify the patch resolves the issue in their deployment environment. As an interim mitigation for environments unable to immediately upgrade, implement API gateway or application-layer filtering to reject requests containing \r or \n characters in the affected fields, though this workaround may introduce edge cases with legitimate use of special characters. Conduct post-upgrade validation by testing API calls with CRLF-embedded payloads to confirm rejection, and audit historical email logs for suspicious header patterns indicating potential prior exploitation.
SSRF in Plunk email platform before 0.7.0.
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (X
Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19359