Cyber Resilience

CVE-2026-34975

High

Published: 06 April 2026

Published
06 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0019 9.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34975 is a high-severity CRLF Injection (CWE-93) vulnerability in Useplunk Plunk. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34975 is a CRLF header injection vulnerability (CWE-93) in Plunk, an open-source email platform built on top of AWS SES, affecting versions prior to 0.8.0. The flaw exists in the SESService.ts component, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames are interpolated directly into raw MIME messages without sanitization, allowing the injection of carriage return/line feed (\r\n) characters.

An authenticated API user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the injection of arbitrary email headers, such as Bcc or Reply-To, facilitating silent email forwarding, reply redirection, or sender spoofing. The issue has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact due to scope change.

The vulnerability is addressed in Plunk version 0.8.0, which implements input validation at the schema level to reject \r or \n characters in the affected fields, consistent with prior validation applied to the contentId field. Additional details are available in the GitHub security advisory at https://github.com/useplunk/plunk/security/advisories/GHSA-2mvm-rg5v-7hfq.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into…

more

raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc, Reply-To) by embedding carriage return/line feed characters in these fields, enabling silent email forwarding, reply redirection, or sender spoofing. The fix adds input validation at the schema level to reject any of these fields containing \r or \n characters, consistent with the existing validation already applied to the contentId field. This vulnerability is fixed in 0.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?

CRLF injection enables arbitrary email header manipulation (Bcc, Reply-To, From) directly facilitating sender spoofing per T1672.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32096Same product: Useplunk Plunk
CVE-2026-50292Shared CWE-93
CVE-2026-39983Shared CWE-93
CVE-2026-39849Shared CWE-93
CVE-2026-1714Shared CWE-93
CVE-2026-8788Shared CWE-93
CVE-2026-6351Shared CWE-93
CVE-2026-39958Shared CWE-93
CVE-2026-41230Shared CWE-93
CVE-2025-28357Shared CWE-93

Affected Assets

useplunk
plunk
≤ 0.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires implementation of input validation at API endpoints to reject \r or \n characters in user-supplied from.name, subject, custom headers, and attachment filenames, directly preventing CRLF injection into raw MIME messages.

prevent

Mandates identification, reporting, and correction of flaws like the CRLF injection vulnerability through patching to version 0.8.0 with schema-level validation.

prevent

Provides output filtering of constructed MIME messages prior to transmission via AWS SES to block or remove injected arbitrary headers such as Bcc or Reply-To.

References