CVE-2026-32095 identifies a stored cross-site scripting (XSS) vulnerability in the Plunk email platform, an open-source solution built on AWS Simple Email Service (SES). The vulnerability exists in versions prior to 0.7.1 due to the image upload endpoint accepting SVG files without proper sanitization. SVG files are XML-based vector images that browsers treat as active documents capable of executing embedded JavaScript. This flaw allows an attacker with at least limited privileges to upload a crafted SVG containing malicious scripts. When other users view the affected content, the embedded JavaScript executes in their browsers, leading to potential theft of session tokens, user impersonation, or manipulation of displayed content. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity with no impact on availability. No known exploits have been reported in the wild as of the publication date. The issue was resolved in Plunk version 0.7.1 by restricting or sanitizing SVG uploads to prevent script execution. This vulnerability highlights the risk of accepting SVG files without proper validation in web applications, especially those handling user-generated content.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected Plunk deployments. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, and the injection of malicious content that could mislead or harm users. While availability is not affected, the breach of trust and data confidentiality can have significant consequences, especially in email platforms where sensitive communications occur. Organizations relying on Plunk versions prior to 0.7.1 may face reputational damage, regulatory compliance issues, and increased risk of further attacks leveraging stolen credentials or session tokens. The requirement for some user interaction (viewing the malicious SVG) and privileges to upload files somewhat limits the attack scope but does not eliminate risk, particularly in environments with many users or less stringent access controls.

To mitigate this vulnerability, organizations should upgrade Plunk to version 0.7.1 or later, where the SVG upload handling is fixed. If immediate upgrade is not feasible, implement strict input validation and sanitization on the image upload endpoint to reject or properly sanitize SVG files, removing any embedded scripts or active content. Employ Content Security Policy (CSP) headers to restrict script execution from untrusted sources and reduce the impact of potential XSS attacks. Additionally, enforce least privilege principles to limit who can upload files and monitor upload activity for suspicious behavior. Regularly audit and scan web applications for XSS vulnerabilities using automated tools and manual testing. Educate users about the risks of interacting with unexpected or suspicious content within the platform. Finally, maintain up-to-date backups and incident response plans to quickly address any exploitation attempts.