Skip to main content

Plunk

4 CVEs product

Monthly

CVE-2026-42192 MEDIUM PATCH This Month

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

XSS Plunk
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34975 HIGH PATCH This Week

CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.

Code Injection Plunk
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32096 CRITICAL Act Now

SSRF in Plunk email platform before 0.7.0.

SSRF Plunk
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32095 MEDIUM This Month

Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Plunk
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

XSS Plunk
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.

Code Injection Plunk
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

SSRF in Plunk email platform before 0.7.0.

SSRF Plunk
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Plunk
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy