PT-2026-24814 · Git+1 · Plunk

Ormzro

·

Published

2026-03-11

·

Updated

2026-03-11

·

CVE-2026-32095

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Plunk versions prior to 0.7.1
Description Plunk is an email platform built on AWS SES. The image upload endpoint, ''/upload'', accepted SVG files. Browsers process SVG files as active documents, allowing embedded JavaScript to execute. This creates a stored cross-site scripting (XSS) issue. The upload function processes the uploaded files.
Recommendations Update to version 0.7.1 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-32095
GHSA-69JG-7493-CX5X

Affected Products

Plunk