Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Plunk: Unauthenticated attackers could send fake emails through AWS SES
CVE-2026-32096
Summary
An attacker could send fake emails by tricking Plunk into making requests to any internet address. This is fixed in version 0.7.0. If you're using a version earlier than 0.7.0, update to the latest version to prevent this attack.
Original title
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker co...
Original description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.
nvd CVSS3.1
9.3
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026