Plunk
CVE-2026-32095
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.
AnalysisAI
Plunk is an open-source email platform built on top of AWS SES. versions up to 0.7.1 is affected by cross-site scripting (xss) (CVSS 5.4).
Technical ContextAI
This vulnerability (CWE-79: Cross-site Scripting (XSS)) affects Plunk is an open-source email platform built on top of AWS SES.. Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.
RemediationAI
Fixed in version 0.7.1.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
SSRF in Plunk email platform before 0.7.0.
CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers b
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (X
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today