CVE-2026-42192: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in useplunk plunk
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.
AI Analysis
Technical Summary
Plunk, an open-source email platform built on AWS SES, had a stored XSS vulnerability (CWE-79) in versions before 0.9.0. Authenticated project members could embed malicious scripts in campaign email bodies, which are rendered unsafely in the admin dashboard via React's dangerouslySetInnerHTML without sanitization. This flaw enables script execution in the context of admins or other users viewing the campaign, potentially leading to session hijacking or unauthorized actions. The vulnerability is fixed in version 0.9.0. Since plunk is a cloud service, the vendor manages patching server-side.
Potential Impact
An attacker with lower privileges can inject malicious scripts into campaign email bodies that execute when viewed by admins or other members, potentially allowing session hijacking or unauthorized actions. The impact affects confidentiality and integrity but not availability. The CVSS score of 5.4 reflects a medium severity risk.
Mitigation Recommendations
The vulnerability is patched in plunk version 0.9.0. As plunk is a cloud-hosted service, the vendor manages remediation and patch deployment. Users should ensure they are using version 0.9.0 or later. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation actions are indicated.
CVE-2026-42192: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in useplunk plunk
Description
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Plunk, an open-source email platform built on AWS SES, had a stored XSS vulnerability (CWE-79) in versions before 0.9.0. Authenticated project members could embed malicious scripts in campaign email bodies, which are rendered unsafely in the admin dashboard via React's dangerouslySetInnerHTML without sanitization. This flaw enables script execution in the context of admins or other users viewing the campaign, potentially leading to session hijacking or unauthorized actions. The vulnerability is fixed in version 0.9.0. Since plunk is a cloud service, the vendor manages patching server-side.
Potential Impact
An attacker with lower privileges can inject malicious scripts into campaign email bodies that execute when viewed by admins or other members, potentially allowing session hijacking or unauthorized actions. The impact affects confidentiality and integrity but not availability. The CVSS score of 5.4 reflects a medium severity risk.
Mitigation Recommendations
The vulnerability is patched in plunk version 0.9.0. As plunk is a cloud-hosted service, the vendor manages remediation and patch deployment. Users should ensure they are using version 0.9.0 or later. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation actions are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.583Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69fe575bcbff5d86102f610e
Added to database: 5/8/2026, 9:36:27 PM
Last enriched: 5/8/2026, 9:51:49 PM
Last updated: 5/9/2026, 1:58:34 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.