Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling arbitrary outbound requests
Action: Patch Immediately
AI Analysis

Impact

An unauthenticated attacker can craft an AWS SNS SubscriptionConfirmation message and send it to Plunk’s /webhooks/sns endpoint. The handler accepts the message without validating the target URL and initiates an outbound HTTP GET to the supplied URL. This Server‑Side Request Forgery (CWE‑918) permits the attacker to cause the Plunk server to reach any host reachable from its network, exposing internal resources, leaking data, or exhausting system resources.

Affected Systems

Deployment environments running any version of the open‑source email platform Plunk (useplunk:plunk) prior to version 0.7.0 are affected. The specific affected version range is not enumerated beyond the indication that all releases before 0.7.0 contain the flaw. Versions 0.7.0 and later incorporate the fix, as stated in the vendor advisory.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating critical severity. The EPSS score is under 1%, implying limited exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is an unauthenticated HTTP POST to the exposed /webhooks/sns endpoint; no authentication or privileged access is required. Exposed deployments can be exploited from any internet‑reachable location, making the risk high for publicly accessible instances.

Generated by OpenCVE AI on March 17, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Plunk to version 0.7.0 or later to fix the SSRF issue.

Generated by OpenCVE AI on March 17, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Useplunk
Useplunk plunk
Vendors & Products Useplunk
Useplunk plunk

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.
Title Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Useplunk Plunk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:00:12.401Z

Reserved: 2026-03-10T22:02:38.853Z

Link: CVE-2026-32096

cve-icon Vulnrichment

Updated: 2026-03-12T20:00:09.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:18.090

Modified: 2026-03-16T17:00:18.470

Link: CVE-2026-32096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:28Z

Weaknesses