CVE-2026-42192
Received Received - Intake

Stored XSS in Plunk Email Platform

Vulnerability report for CVE-2026-42192, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-07-09
AI Q&A
2026-05-09
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
plunk plunk to 0.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in the Plunk email platform prior to version 0.9.0. It occurs in the campaign management feature where email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization.

Because of this, a lower-privileged member can embed malicious scripts in a campaign's email body. These scripts execute in the context of any admin or other member who views the campaign, potentially allowing session hijacking or unauthorized actions on their behalf.

The issue was fixed in version 0.9.0.

Impact Analysis

This vulnerability can impact you by allowing a lower-privileged user to inject malicious scripts into the email campaign content.

When an admin or other member views the campaign, these scripts execute in their browser context, potentially leading to session hijacking or unauthorized actions performed on their behalf.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Plunk to version 0.9.0 or later, where the stored cross-site scripting (XSS) issue in the campaign management feature has been patched.

Additionally, avoid using versions prior to 0.9.0, as they allow lower-privileged members to embed malicious scripts in email bodies that can execute in the context of admins or other members.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart