Description
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting via SVG uploads
Action: Patch
AI Analysis

Impact

Plunk, an open‑source email platform, had an image upload endpoint that accepted SVG files up to version 0.6.x. SVG files are treated by modern browsers as active documents capable of executing embedded JavaScript. When an attacker uploads a malicious SVG, the script runs in the context of any user who views the file, enabling classic XSS attacks such as cookie theft, session hijacking, or content injection. This vulnerability falls under CWE‑79 as it involves improper handling of user input that is rendered by the browser.

Affected Systems

The vulnerability affects the Plunk email platform from the vendor useplunk. All versions prior to 0.7.1 expose the flaw; the fix was introduced in release 0.7.1.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS for this issue is reported to be less than 1%, suggesting a low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. Exploitation requires an attacker to upload a crafted SVG to the image endpoint; once uploaded, any user who views the file will be exposed. The attack vector is inferred to be via the upload functionality, likely requiring either authenticated access or unauthenticated access to the image upload endpoint, as the description does not explicitly state access restrictions.

Generated by OpenCVE AI on March 17, 2026 at 15:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Plunk to version 0.7.1 or newer to remove support for SVG uploads.

Generated by OpenCVE AI on March 17, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Useplunk
Useplunk plunk
Vendors & Products Useplunk
Useplunk plunk

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.
Title Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Useplunk Plunk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:53:49.703Z

Reserved: 2026-03-10T22:02:38.853Z

Link: CVE-2026-32095

cve-icon Vulnrichment

Updated: 2026-03-12T19:53:46.733Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:17.923

Modified: 2026-03-16T17:10:07.763

Link: CVE-2026-32095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:28Z

Weaknesses