Home / Vulnerability Intelligence / CVE-2026-32096

CVE-2026-32096 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 12, 2026

Plunk - Server-Side Request Forgery

Published: March 11, 2026Updated: March 12, 2026Remote Exploitable

Overview

Plunk < 0.7.0 contains a server-side request forgery caused by improper validation in the SNS webhook handler, letting unauthenticated attackers make arbitrary outbound HTTP GET requests, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 4.2%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can make arbitrary outbound HTTP requests from the server, potentially accessing internal resources or causing SSRF attacks.

Mitigation

Update to version 0.7.0 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 12, 2026

🚨 CVE-2026-32096: CRITICAL SSRF in Plunk < 0.7.0 lets unauthenticated attackers trigger arbitrary outbound HTTP requests via SNS webhook. Upgrade to 0.7.0+ ASAP. Monitor egress and review webhook configs. https://radar.offseq.com/threat/cve-2026-32096-cwe-918-server-side-request-forgery-4e688d7e #OffSeq #SSRF #CloudSecurity

View original post

Related Resources

Details

CVE ID: CVE-2026-32096
Severity: Critical
CVSS Score: 9.3
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 4.2%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score

4.2%Probability of exploitation in the next 30 days