CVE-2026-42192
Received Received - Intake
Stored XSS in Plunk Email Platform

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42192
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
plunk plunk to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in the Plunk email platform prior to version 0.9.0. It occurs in the campaign management feature where email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization.

Because of this, a lower-privileged member can embed malicious scripts in a campaign's email body. These scripts execute in the context of any admin or other member who views the campaign, potentially allowing session hijacking or unauthorized actions on their behalf.

The issue was fixed in version 0.9.0.

Impact Analysis

This vulnerability can impact you by allowing a lower-privileged user to inject malicious scripts into the email campaign content.

When an admin or other member views the campaign, these scripts execute in their browser context, potentially leading to session hijacking or unauthorized actions performed on their behalf.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Plunk to version 0.9.0 or later, where the stored cross-site scripting (XSS) issue in the campaign management feature has been patched.

Additionally, avoid using versions prior to 0.9.0, as they allow lower-privileged members to embed malicious scripts in email bodies that can execute in the context of admins or other members.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart