Stored Cross-Site Scripting Vulnerability in Plunk Email Platform by AWS
CVE-2026-42192

5.4MEDIUM

Key Information:

Vendor: Useplunk
Status: Plunk
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42192?

The Plunk email platform contains a stored Cross-Site Scripting (XSS) vulnerability in its campaign management feature. This issue allows authenticated project members to create email content that is subsequently rendered in the admin dashboard using React's dangerouslySetInnerHTML method without proper HTML sanitization. As a result, lower-privileged users can embed malicious scripts within email bodies. When an admin or other members view the affected campaign, the scripts execute in their context, which could lead to session hijacking or unauthorized actions. This vulnerability was addressed in version 0.9.0.

Affected Version(s)

plunk < 0.9.0

References

https://github.com/useplunk/plunk/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/useplunk/plunk/releases/tag/v0.9.0

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42192 Data

JSON

Useplunk

What is CVE-2026-42192?

Affected Version(s)

References

CVSS V3.1

Timeline