CVE-2026-32095

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32095

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32095.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32095

Aliases

GHSA-69jg-7493-cx5x

Published

2026-03-11T19:52:15.524Z

Modified

2026-04-10T05:42:54.685231Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload

Details

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32095.json"
}

References

Affected packages

Git / github.com/useplunk/plunk

Affected ranges

Type: GIT
Repo: https://github.com/useplunk/plunk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

57bfbf874b2e605ef5be92a5fe250d1df5ab0b06

Affected versions

v0.*

v0.1.0

v0.1.1

v0.2.0

v0.4.0

v0.6.0

v0.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32095.json"