CVE-2026-32095

{"id": "CVE-2026-32095", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-11T20:16:17.923", "references": [{"url": "https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1."}, {"lang": "es", "value": "Plunk es una plataforma de correo electr\u00f3nico de c\u00f3digo abierto construida sobre AWS SES. Antes de la versi\u00f3n 0.7.1, el punto final de carga de im\u00e1genes de Plunk aceptaba archivos SVG, que los navegadores tratan como documentos activos capaces de ejecutar JavaScript incrustado, creando una vulnerabilidad de XSS almacenado. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.7.1."}], "lastModified": "2026-03-16T17:10:07.763", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:useplunk:plunk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8951C88-1813-41E0-8F35-A7FFDA8DC6E2", "versionEndExcluding": "0.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}