CVE-2026-34975

The CVE describes a CRLF header injection vulnerability in Plunk’s SESService.ts prior to version 0.8.0. An authenticated API user could inject arbitrary email headers (e.g., Bcc, Reply-To) by embedding CRLF characters in from.name, subject, custom header keys/values, or attachment filenames, bec...