Unrated severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns
CVE-2026-32096
Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery (SSRF) vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to any host accessible from the server. This vulnerability is fixed in 0.7.0.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/useplunk/plunk/commit/b8f1ad9ab53c78f8ef063fdc125f397c8bfc7652mitrex_refsource_MISC
- github.com/useplunk/plunk/security/advisories/GHSA-xpqg-p8mp-7g44mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.