Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
UseplunkPlunk

3 matches found

CVE
CVEadded 2026/03/11 7:53 p.m.15 views

CVE-2026-32096

Plunk (open-source email platform built on AWS SES) contains a Server-Side Request Forgery (SSRF) in the SNS webhook handler prior to version 0.7.0. An unauthenticated attacker could craft a request that forced the server to perform an outbound HTTP GET to any host reachable from the server. The ...

9.3CVSS5.9AI score0.00273EPSS
Web
CVE
CVEadded 2026/04/06 4:10 p.m.10 views

CVE-2026-34975

The CVE describes a CRLF header injection vulnerability in Plunk’s SESService.ts prior to version 0.8.0. An authenticated API user could inject arbitrary email headers (e.g., Bcc, Reply-To) by embedding CRLF characters in from.name, subject, custom header keys/values, or attachment filenames, bec...

8.5CVSS6.1AI score0.00194EPSS
Web
CVE
CVEadded 2026/03/11 7:52 p.m.7 views

CVE-2026-32095

Plunk is an open-source email platform built on AWS SES. Before 0.7.1, its image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. The issue is fixed in 0.7.1. CVSS v3.1 base score is 5.4 (Me...

5.4CVSS5.8AI score0.00136EPSS