CVE-2026-34975
CVE-2026-34975 is a high-severity vulnerability in Useplunk Plunk with a CVSS 3.x base score of 8.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-93.
Key facts
- Severity: High (CVSS 3.x base score 8.5)
- EPSS exploit prediction: 0% (9th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-19359
- Weakness: CWE-93
- Affected product: Useplunk Plunk
- Published:
- Last modified:
Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.
Frequently asked questions
- What is CVE-2026-34975?
- Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.
- How severe is CVE-2026-34975?
- CVE-2026-34975 has a CVSS 3.x base score of 8.5, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2026-34975 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (9th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-34975?
- CVE-2026-34975 affects Useplunk Plunk. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-34975?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-34975 have an EU (EUVD) identifier?
- Yes. CVE-2026-34975 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-19359.
- When was CVE-2026-34975 published?
- CVE-2026-34975 was published on 2026-04-06 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*
More vulnerabilities in Useplunk Plunk
- CVE-2026-32096 — Critical (CVSS 9.3): Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF)…
- CVE-2026-32095 — Medium (CVSS 5.4): Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted…
All CVEs affecting Useplunk Plunk →
Other CWE-93 (CRLF Injection) vulnerabilities
- CVE-2024-51501 — Critical (CVSS 10.0): Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit…
- CVE-2026-45372 — Critical (CVSS 9.9): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's…
- CVE-2026-11362 — Critical (CVSS 9.8): DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not…
- CVE-2025-40671 — Critical (CVSS 9.3): SQL injection vulnerability in AES Multimedia's Gestnet v1.07. This vulnerability allows an attacker to retrieve,…
- CVE-2026-11373 — Critical (CVSS 9.1): Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for…
- CVE-2026-50638 — Critical (CVSS 9.1): Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd…