CVE-2026-42192 MEDIUM

CVE-2026-42192: Plunk: Stored XSS in campaign view

Vendor Useplunk
Product plunk
Weakness CWE-79 · XSS
Published May 8, 2026
Last update May 12, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-47146 WordPress Real Estate 7 Theme <= 3.3.1 is vulnerable to Cross Site Scripting (XSS) CVE-2025-9560 Colibri Page Builder <= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode CVE-2025-47092 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-23862 Cross-Site Scripting (XSS) vulnerability in Cups Easy CVE-2025-12227 projectworlds Gate Pass Management System add-pass.php cross site scripting