CVE-2026-32096

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/useplunk/plunk/commit/b8f1ad9ab53c78f8ef063fdc125f397c8bfc7652	Patch
https://github.com/useplunk/plunk/security/advisories/GHSA-xpqg-p8mp-7g44	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 17:00

NVD link : CVE-2026-32096

Mitre link : CVE-2026-32096

CVE.ORG link : CVE-2026-32096

JSON object : View

Products Affected

useplunk

plunk

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-32096", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2026-03-11T20:16:18.090", "references": [{"url": "https://github.com/useplunk/plunk/commit/b8f1ad9ab53c78f8ef063fdc125f397c8bfc7652", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/useplunk/plunk/security/advisories/GHSA-xpqg-p8mp-7g44", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0."}, {"lang": "es", "value": "Plunk es una plataforma de correo electr\u00f3nico de c\u00f3digo abierto construida sobre AWS SES. Antes de la 0.7.0, exist\u00eda una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en el gestor de webhook de SNS. Un atacante no autenticado podr\u00eda enviar una petici\u00f3n manipulada que causaba que el servidor realizara una petici\u00f3n HTTP GET saliente arbitraria a cualquier host accesible desde el servidor. Esta vulnerabilidad est\u00e1 corregida en la 0.7.0."}], "lastModified": "2026-03-16T17:00:18.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "103B88DE-209C-4C17-A84C-D22222453E81", "versionEndExcluding": "0.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}