CVE-2026-42193

Published: Mag 09, 2026 Last Modified: Mag 09, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: high

Description

AI Translation Available

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.

347

Improper Verification of Cryptographic Signature

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Integrity Confidentiality

Potential Impacts:

Gain Privileges Or Assume Identity Modify Application Data Execute Unauthorized Code Or Commands

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/useplunk/plunk/releases/tag/v0.9.0

https://github.com/useplunk/plunk/security/advisories/GHSA-…

https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53

CVE-2026-42193

Description

Improper Verification of Cryptographic Signature

Common Consequences

Applicable Platforms

Iscriviti alla newsletter