CVE-2026-32095 (GCVE-0-2026-32095)

Vulnerability from cvelistv5 – Published: 2026-03-11 19:52 – Updated: 2026-03-12 19:53
VLAI?
Title
Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload
Summary
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
useplunk plunk Affected: < 0.7.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32095",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T19:53:42.566085Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T19:53:49.703Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "plunk",
          "vendor": "useplunk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk\u0027s image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T19:52:15.524Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x"
        }
      ],
      "source": {
        "advisory": "GHSA-69jg-7493-cx5x",
        "discovery": "UNKNOWN"
      },
      "title": "Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32095",
    "datePublished": "2026-03-11T19:52:15.524Z",
    "dateReserved": "2026-03-10T22:02:38.853Z",
    "dateUpdated": "2026-03-12T19:53:49.703Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32095",
      "date": "2026-04-24",
      "epss": "0.00035",
      "percentile": "0.10307"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32095\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-11T20:16:17.923\",\"lastModified\":\"2026-03-16T17:10:07.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk\u0027s image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.\"},{\"lang\":\"es\",\"value\":\"Plunk es una plataforma de correo electr\u00f3nico de c\u00f3digo abierto construida sobre AWS SES. Antes de la versi\u00f3n 0.7.1, el punto final de carga de im\u00e1genes de Plunk aceptaba archivos SVG, que los navegadores tratan como documentos activos capaces de ejecutar JavaScript incrustado, creando una vulnerabilidad de XSS almacenado. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.7.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.7.1\",\"matchCriteriaId\":\"C8951C88-1813-41E0-8F35-A7FFDA8DC6E2\"}]}]}],\"references\":[{\"url\":\"https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32095\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T19:53:42.566085Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T19:53:46.733Z\"}}], \"cna\": {\"title\": \"Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload\", \"source\": {\"advisory\": \"GHSA-69jg-7493-cx5x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"useplunk\", \"product\": \"plunk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.7.1\"}]}], \"references\": [{\"url\": \"https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x\", \"name\": \"https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk\u0027s image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-11T19:52:15.524Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32095\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T19:53:49.703Z\", \"dateReserved\": \"2026-03-10T22:02:38.853Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-11T19:52:15.524Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.