CVE-2026-34975: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in useplunk plunk
CVE-2026-34975 is a high-severity CRLF injection vulnerability in the open-source email platform plunk (useplunk) versions prior to 0. 8. 0. The flaw allows authenticated API users to inject arbitrary email headers by embedding carriage return and line feed characters in certain user-supplied fields such as from. name, subject, custom header keys/values, and attachment filenames. This can lead to silent email forwarding, reply redirection, or sender spoofing. The vulnerability is fixed in version 0. 8. 0 by adding input validation to reject these characters in the affected fields. The platform is cloud-hosted, and the vendor manages remediation for the service.
AI Analysis
Technical Summary
Plunk versions before 0.8.0 contain a CRLF header injection vulnerability in SESService.ts where user inputs for email headers and attachment filenames are directly interpolated into raw MIME messages without sanitization. Authenticated API users can exploit this by injecting carriage return and line feed characters to add arbitrary email headers such as Bcc or Reply-To, enabling manipulation of email behavior including silent forwarding and spoofing. The vulnerability is addressed in version 0.8.0 by enforcing input validation at the schema level to reject \r and \n characters in these fields, aligning with existing validation on other fields. The product is a cloud service built on AWS SES, and the vendor manages patching server-side.
Potential Impact
Successful exploitation allows authenticated API users to inject arbitrary email headers, potentially causing silent email forwarding, reply redirection, or sender spoofing. This can compromise email integrity and confidentiality. The vulnerability does not impact availability. The CVSS score of 8.5 reflects high impact on confidentiality and limited impact on integrity, with no impact on availability.
Mitigation Recommendations
A fix is available in plunk version 0.8.0, which adds input validation to reject carriage return and line feed characters in user-supplied email header fields and attachment filenames. Since plunk is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure they are using version 0.8.0 or later. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation is required if the service is updated.
CVE-2026-34975: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in useplunk plunk
Description
CVE-2026-34975 is a high-severity CRLF injection vulnerability in the open-source email platform plunk (useplunk) versions prior to 0. 8. 0. The flaw allows authenticated API users to inject arbitrary email headers by embedding carriage return and line feed characters in certain user-supplied fields such as from. name, subject, custom header keys/values, and attachment filenames. This can lead to silent email forwarding, reply redirection, or sender spoofing. The vulnerability is fixed in version 0. 8. 0 by adding input validation to reject these characters in the affected fields. The platform is cloud-hosted, and the vendor manages remediation for the service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plunk versions before 0.8.0 contain a CRLF header injection vulnerability in SESService.ts where user inputs for email headers and attachment filenames are directly interpolated into raw MIME messages without sanitization. Authenticated API users can exploit this by injecting carriage return and line feed characters to add arbitrary email headers such as Bcc or Reply-To, enabling manipulation of email behavior including silent forwarding and spoofing. The vulnerability is addressed in version 0.8.0 by enforcing input validation at the schema level to reject \r and \n characters in these fields, aligning with existing validation on other fields. The product is a cloud service built on AWS SES, and the vendor manages patching server-side.
Potential Impact
Successful exploitation allows authenticated API users to inject arbitrary email headers, potentially causing silent email forwarding, reply redirection, or sender spoofing. This can compromise email integrity and confidentiality. The vulnerability does not impact availability. The CVSS score of 8.5 reflects high impact on confidentiality and limited impact on integrity, with no impact on availability.
Mitigation Recommendations
A fix is available in plunk version 0.8.0, which adds input validation to reject carriage return and line feed characters in user-supplied email header fields and attachment filenames. Since plunk is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure they are using version 0.8.0 or later. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation is required if the service is updated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.616Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d3dfa80a160ebd92c701d8
Added to database: 4/6/2026, 4:30:32 PM
Last enriched: 4/14/2026, 4:05:12 PM
Last updated: 5/22/2026, 8:34:13 PM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.