CVE-2026-42192 Overview
CVE-2026-42192 is a stored cross-site scripting (XSS) vulnerability in Plunk, an open-source email platform built on top of AWS Simple Email Service (SES). The flaw resides in the campaign management feature, where authenticated project members can inject HTML and JavaScript into the email body. Plunk's admin dashboard renders this content using React's dangerouslySetInnerHTML without HTML sanitization. When an administrator or another member views the campaign, the injected script executes in their browser session. Versions prior to 0.9.0 are affected. The issue is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
A lower-privileged project member can execute arbitrary JavaScript in an administrator's browser, enabling session hijacking and unauthorized actions performed under the admin's identity.
Affected Products
- Plunk (open-source email platform) versions prior to 0.9.0
- Self-hosted Plunk deployments using the campaign management feature
- Plunk admin dashboards rendering user-supplied email body content
Discovery Timeline
- 2026-05-08 - CVE-2026-42192 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42192
Vulnerability Analysis
The vulnerability stems from unsafe rendering of user-controlled content in Plunk's React-based administrative interface. Authenticated project members create campaigns by composing an email body that includes HTML markup. Plunk stores the raw body and later renders it on the admin dashboard preview using React's dangerouslySetInnerHTML property. Because the application performs no HTML sanitization before rendering, any <script> element, event handler attribute, or javascript: URI placed in the body becomes active JavaScript in the viewer's browser. The execution context is the Plunk admin origin, giving the injected script access to session cookies, authentication tokens, and any API endpoints the victim can reach.
Root Cause
The root cause is the use of dangerouslySetInnerHTML on attacker-influenced content without a sanitization pass through a library such as DOMPurify. React deliberately names this property dangerous to signal that the developer assumes responsibility for cleansing input. Plunk's campaign body field accepts arbitrary HTML to support rich email composition, but the same raw markup is reused for in-app preview, conflating the email rendering trust boundary with the dashboard trust boundary.
Attack Vector
An attacker requires a valid project member account, which represents a lower privilege tier than project administrator. The attacker creates or edits a campaign and inserts a payload such as an inline script tag or an onerror attribute on an image element pointing to attacker-controlled JavaScript. When an administrator or fellow member loads the campaign view in the dashboard, the script executes with the victim's privileges. Typical impacts include stealing the session cookie, issuing authenticated API calls to add members, exfiltrating subscriber lists, or pivoting to send unauthorized email through the connected AWS SES account. The attack requires user interaction (UI:R) because the victim must navigate to the campaign.
No public proof-of-concept code has been released. See the GitHub Security Advisory GHSA-mjqc-qrv3-24hq for additional technical details.
Detection Methods for CVE-2026-42192
Indicators of Compromise
- Campaign records containing <script> tags, onerror=, onload=, or javascript: URIs in the email body field.
- Outbound network requests from admin browsers to unfamiliar domains shortly after a campaign view event.
- Unexpected API calls from administrator sessions to create members, modify projects, or retrieve subscriber data.
- New project member or API key creations that lack corresponding human-initiated audit events.
Detection Strategies
- Query the Plunk database for campaign bodies matching XSS signatures and review entries authored by non-administrator accounts.
- Inspect web server and reverse proxy logs for admin dashboard requests followed by anomalous cross-origin requests in the same session.
- Enable and review browser Content Security Policy (CSP) violation reports if a CSP is deployed in front of Plunk.
Monitoring Recommendations
- Audit project member account activity, focusing on campaign creation and edit operations performed by lower-privileged users.
- Monitor AWS SES sending activity for unexpected spikes, new sender identities, or messages to attacker-controlled recipients.
- Alert on administrative actions occurring in close temporal proximity to a campaign preview load.
How to Mitigate CVE-2026-42192
Immediate Actions Required
- Upgrade Plunk to version 0.9.0 or later, where the campaign body is sanitized before rendering.
- Review all existing campaigns for HTML payloads containing script tags or inline event handlers and remove suspicious entries before any admin reviews them.
- Rotate session secrets and force re-authentication for all Plunk users following the upgrade.
- Audit project member rosters and revoke accounts that should not retain access.
Patch Information
The fix is included in Plunk v0.9.0. Refer to the GitHub Release v0.9.0 notes and the GitHub Security Advisory GHSA-mjqc-qrv3-24hq for upgrade instructions and the underlying code change that introduces sanitization on campaign body rendering.
Workarounds
- Restrict campaign creation and edit permissions to fully trusted administrators until the upgrade is applied.
- Deploy a strict Content Security Policy in front of the Plunk dashboard that disallows inline script execution and limits script sources to known origins.
- Place Plunk behind a web application firewall configured to block common stored XSS payloads in campaign API requests.
- Instruct administrators to avoid previewing campaigns authored by untrusted members until patching is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
