CVE-2026-42192

Source
https://cve.org/CVERecord?id=CVE-2026-42192
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42192.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42192
Aliases
  • GHSA-mjqc-qrv3-24hq
Published
2026-05-08T21:13:25.159Z
Modified
2026-07-08T08:13:13.786977843Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Plunk: Stored XSS in campaign view
Details

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42192.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/useplunk/plunk

Affected ranges

Type
GIT
Repo
https://github.com/useplunk/plunk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.2.0
v0.4.0
v0.6.0
v0.7.0
v0.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42192.json"