CVE-2026-32095
Stored XSS in Plunk Image Upload Endpoint Allows Script Execution
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| useplunk | plunk | to 0.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32095 is a stored Cross-Site Scripting (XSS) vulnerability in the Plunk email platform versions up to 0.7.0. The vulnerability occurs because Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript."}, {'type': 'paragraph', 'content': 'Attackers could upload malicious SVG files containing JavaScript code. When other users accessed these files, the embedded JavaScript would execute, leading to a stored XSS attack.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 0.7.1 by removing SVG files from allowed upload types and adding validation to ensure uploaded files match their claimed image formats.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious JavaScript in the context of other users who view the uploaded SVG files. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or manipulating the content displayed to users.
The CVSS score of 5.4 indicates moderate severity, with low confidentiality and integrity impacts but no availability impact. Exploitation requires user interaction and low privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Plunk installation is running a version prior to 0.7.1 and if the image upload endpoint accepts SVG files.'}, {'type': 'paragraph', 'content': 'You can also inspect uploaded files on your system or network to see if any SVG files containing embedded JavaScript have been uploaded, as these are the source of the stored XSS vulnerability.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check Plunk version: `plunk --version` or review your deployment details to confirm the version is below 0.7.1.'}, {'type': 'list_item', 'content': "Search for SVG files in the upload directory: `find /path/to/uploads -name '*.svg'`"}, {'type': 'list_item', 'content': "Inspect SVG files for embedded JavaScript by searching for script tags or event handlers: `grep -i '<script' /path/to/uploads/*.svg` or `grep -i 'onload' /path/to/uploads/*.svg`"}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Plunk to version 0.7.1 or later, where the vulnerability is fixed.
The fix removes SVG files from the list of allowed upload types and adds magic-byte validation to ensure uploaded files match their claimed image formats, preventing malicious SVG uploads.
Additionally, review and remove any previously uploaded SVG files that may contain malicious JavaScript.
If upgrading immediately is not possible, consider temporarily disabling SVG uploads on the image upload endpoint.