CVE-2026-32095
Received Received - Intake
Stored XSS in Plunk Image Upload Endpoint Allows Script Execution

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32095
EUVD
EUVD-2026-11334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
useplunk plunk to 0.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32095 is a stored Cross-Site Scripting (XSS) vulnerability in the Plunk email platform versions up to 0.7.0. The vulnerability occurs because Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript."}, {'type': 'paragraph', 'content': 'Attackers could upload malicious SVG files containing JavaScript code. When other users accessed these files, the embedded JavaScript would execute, leading to a stored XSS attack.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 0.7.1 by removing SVG files from allowed upload types and adding validation to ensure uploaded files match their claimed image formats.'}] [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious JavaScript in the context of other users who view the uploaded SVG files. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or manipulating the content displayed to users.

The CVSS score of 5.4 indicates moderate severity, with low confidentiality and integrity impacts but no availability impact. Exploitation requires user interaction and low privileges.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Plunk installation is running a version prior to 0.7.1 and if the image upload endpoint accepts SVG files.'}, {'type': 'paragraph', 'content': 'You can also inspect uploaded files on your system or network to see if any SVG files containing embedded JavaScript have been uploaded, as these are the source of the stored XSS vulnerability.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check Plunk version: `plunk --version` or review your deployment details to confirm the version is below 0.7.1.'}, {'type': 'list_item', 'content': "Search for SVG files in the upload directory: `find /path/to/uploads -name '*.svg'`"}, {'type': 'list_item', 'content': "Inspect SVG files for embedded JavaScript by searching for script tags or event handlers: `grep -i '<script' /path/to/uploads/*.svg` or `grep -i 'onload' /path/to/uploads/*.svg`"}] [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Plunk to version 0.7.1 or later, where the vulnerability is fixed.

The fix removes SVG files from the list of allowed upload types and adds magic-byte validation to ensure uploaded files match their claimed image formats, preventing malicious SVG uploads.

Additionally, review and remove any previously uploaded SVG files that may contain malicious JavaScript.

If upgrading immediately is not possible, consider temporarily disabling SVG uploads on the image upload endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart