CVE-2026-32095 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Plunk open-source email platform built on AWS SES. The vulnerability exists in versions prior to 0.7.1 due to the platform's image upload endpoint accepting SVG files without proper sanitization. SVG files are treated by browsers as active documents capable of embedding and executing JavaScript. This allows an attacker to upload a crafted SVG containing malicious scripts that get stored on the server and later executed in the browsers of users who view the affected content. The vulnerability can be exploited remotely over the network with low attack complexity and requires only low privileges (PR:L) and user interaction (UI:R) to trigger. The scope is changed (S:C) because the vulnerability can affect other users' sessions and data. The CVSS 3.1 base score is 5.4, reflecting a medium severity with partial impact on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild yet. The vulnerability was addressed in Plunk version 0.7.1 by restricting or sanitizing SVG uploads to prevent script execution. This vulnerability highlights the risks of accepting SVG files without proper validation in web applications, especially those handling user-generated content.

The primary impact of this vulnerability is on the confidentiality and integrity of user data within organizations using affected Plunk versions. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of users, potentially compromising sensitive email communications. As Plunk is an email platform, attackers could leverage this to gain access to internal communications or launch further attacks such as phishing or lateral movement within networks. Although availability is not affected, the breach of trust and data confidentiality can have significant reputational and operational consequences. The vulnerability's medium severity and requirement for user interaction limit its immediate risk, but organizations with high-value targets or sensitive communications should treat it seriously. Since no known exploits are reported, proactive patching can effectively mitigate the threat before exploitation occurs.

Organizations should immediately upgrade Plunk to version 0.7.1 or later to apply the official fix that sanitizes or disallows SVG uploads. In addition, implement strict server-side validation to reject or sanitize all SVG files and other potentially active content types. Deploy Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of any injected scripts. Educate users to be cautious with unexpected or suspicious email content, especially images or attachments. Regularly audit and monitor logs for unusual upload activity or attempts to upload SVG files. Consider disabling SVG support entirely if not required. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Finally, conduct security testing and code reviews focused on input validation and output encoding to prevent similar vulnerabilities in the future.