CVE-2026-42192

Name of the Vulnerable Software and Affected Versions Plunk versions prior to 0.9.0

Description A stored cross-site scripting (XSS) issue exists in the campaign management feature. Authenticated project members can embed malicious scripts in a campaign's email body, which are stored and subsequently rendered in the admin dashboard using React's dangerouslySetInnerHTML without HTML sanitization. This allows a lower-privileged member to execute scripts in the context of an admin or other member viewing the campaign, potentially leading to session hijacking or unauthorized actions.

Recommendations Update to version 0.9.0.