{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32095", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.853Z", "datePublished": "2026-03-11T19:52:15.524Z", "dateUpdated": "2026-03-12T19:53:49.703Z"}, "containers": {"cna": {"title": "Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x"}], "affected": [{"vendor": "useplunk", "product": "plunk", "versions": [{"version": "< 0.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:52:15.524Z"}, "descriptions": [{"lang": "en", "value": "Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1."}], "source": {"advisory": "GHSA-69jg-7493-cx5x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:53:42.566085Z", "id": "CVE-2026-32095", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:53:49.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32095", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:53:42.566085Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:53:46.733Z"}}], "cna": {"title": "Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload", "source": {"advisory": "GHSA-69jg-7493-cx5x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "useplunk", "product": "plunk", "versions": [{"status": "affected", "version": "< 0.7.1"}]}], "references": [{"url": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x", "name": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:52:15.524Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32095", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:53:49.703Z", "dateReserved": "2026-03-10T22:02:38.853Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:52:15.524Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8951C88-1813-41E0-8F35-A7FFDA8DC6E2", "versionEndExcluding": "0.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1."}, {"lang": "es", "value": "Plunk es una plataforma de correo electr\u00f3nico de c\u00f3digo abierto construida sobre AWS SES. Antes de la versi\u00f3n 0.7.1, el punto final de carga de im\u00e1genes de Plunk aceptaba archivos SVG, que los navegadores tratan como documentos activos capaces de ejecutar JavaScript incrustado, creando una vulnerabilidad de XSS almacenado. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.7.1."}], "id": "CVE-2026-32095", "lastModified": "2026-03-16T17:10:07.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-11T20:16:17.923", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "plunk", "vendor": "useplunk"}], "created": "2026-03-12T09:56:23.764910+00:00", "updated": "2026-03-12T09:56:23.764984+00:00", "vendors": ["useplunk", "useplunk$PRODUCT$plunk"]}