CVE-2026-42192 - Vulnerability Details

Description

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

Published: 2026-05-08

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Plunk’s campaign management feature stores the email body content created by authenticated project members and later renders that content in the admin dashboard using React’s dangerouslySetInnerHTML without any HTML sanitization. This stored cross‑site scripting vulnerability allows a lower‑privileged member to embed malicious scripts in a campaign’s email body. When any admin or other member views the campaign, the script runs in their browser session, potentially hijacking the victim’s session or performing unauthorized actions on their behalf.

Affected Systems

The vulnerability affects all versions of the open‑source Plunk email platform built on AWS SES before version 0.9.0. Users of the 0.9.0 release and later are not impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk. No EPSS score is available, and the issue is not listed in CISA KEV, suggesting that widespread exploitation is not currently documented. The likely attack vector is a web‑based interaction within the Plunk administration interface, performed by a lower privileged authenticated user who has permission to create or edit campaigns. The vulnerability can be exploited without needing elevated privileges beyond those required to create a campaign, but the attacker must later be able to view the campaign in the admin dashboard to trigger the malicious script.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

useplunk

plunk

affected

Version	Status	Constraints
`< 0.9.0`	affected	—

No data.

Vendor Product Confidence Versions

Useplunk

Plunk

100%

Version	Status	Scheme	Platform
`[0,0.9.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Plunk to version 0.9.0 or later, which removes the vulnerable rendering path.
Implement server‑side input sanitization for email body content, allowing only safe HTML elements and attributes before storage.
Deploy a restrictive Content Security Policy that blocks inline scripts and disallows unsafe‑eval to mitigate any remaining XSS vectors.

Generated by OpenCVE AI on May 8, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/useplunk/plunk/releases/tag/v0.9.0
https://github.com/useplunk/plunk/security/advisories/GHSA-mjqc-qrv3-24hq

History

Fri, 08 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Useplunk Useplunk plunk
Vendors & Products		Useplunk Useplunk plunk

Fri, 08 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.
Title		Plunk: Stored XSS in campaign view
Weaknesses		CWE-79
References		https://github.com/useplunk/plunk/releases/tag/v0.9.0 https://github.com/useplunk/plunk/security/advisories/GHSA-mjqc-qrv3-24hq
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Useplunk Plunk

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T21:13:25.159Z

Updated: 2026-05-08T21:13:25.159Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42192

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T22:16:31.133

Modified: 2026-05-08T22:16:31.133

Link: CVE-2026-42192

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T23:00:15Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object