CRLF Header Injection Vulnerability in Plunk Open-Source Email Platform
CVE-2026-34975

8.5HIGH

Key Information:

Vendor: Useplunk
Status: Plunk
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34975?

Plunk, an open-source email platform built on AWS SES, contains a CRLF header injection vulnerability that affects versions prior to 0.8.0. This issue allows an authenticated API user to manipulate email headers by injecting carriage return or line feed characters into fields such as from.name, subject, and attachment filenames. Such manipulation can lead to unauthorized actions, including silent email forwarding, reply redirection, and sender spoofing. The vulnerability was addressed in version 0.8.0, which introduced input validation to prevent these types of injections.

Affected Version(s)

plunk < 0.8.0

References

https://github.com/useplunk/plunk/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34975 Data

JSON

Useplunk

What is CVE-2026-34975?

Affected Version(s)

References

CVSS V3.1

Timeline