PT-2026-39196 · Plunk · Plunk
Bigbluewhale111
·
Published
2026-05-08
·
Updated
2026-05-13
·
CVE-2026-42193
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Plunk versions prior to 0.9.0
Description
The '/webhooks/sns' endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN. This allows an unauthenticated attacker to forge webhook requests and spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits.
Recommendations
Update to version 0.9.0.
As a temporary workaround, restrict access to the '/webhooks/sns' endpoint to minimize the risk of exploitation.
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plunk