CVE-2026-32095 – Plunk versions before 0.7.1 have a stored cross... (How to Fix)

Q: What is the severity of CVE-2026-32095?

CVE-2026-32095 has a CVSS score of 5.4 (MEDIUM). Plunk versions before 0.7.1 have a stored cross-site scripting (XSS) vulnerability in the image upload endpoint. Attackers can upload malicious SVG files containing JavaScript that executes in victims' browsers when viewed. This affects all Plunk users with the vulnerable version.

📋 TL;DR

Plunk versions before 0.7.1 have a stored cross-site scripting (XSS) vulnerability in the image upload endpoint. Attackers can upload malicious SVG files containing JavaScript that executes in victims' browsers when viewed. This affects all Plunk users with the vulnerable version.

💻 Affected Systems

Products:

Plunk

Versions: All versions before 0.7.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Plunk installations with image upload functionality enabled and accessible.

📦 What is this software?

Plunk by Useplunk

View all CVEs affecting Plunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Attackers upload malicious SVG files that execute JavaScript in victims' browsers, potentially stealing session tokens or performing unauthorized actions.

🟢

If Mitigated

With proper input validation and content security policies, the impact is limited to potential data leakage from the specific vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload files to the vulnerable endpoint, which typically requires authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.1

Vendor Advisory: https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x

Restart Required: Yes

Instructions:

1. Backup your Plunk installation and data
2. Update Plunk to version 0.7.1 or later
3. Restart the Plunk service
4. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure Plunk to reject SVG file uploads at the application level

Modify Plunk configuration to add SVG to blocked file types

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution

Add 'Content-Security-Policy: script-src 'self'' header to web server configuration

🧯 If You Can't Patch

Implement strict file upload validation to reject SVG files
Deploy a WAF with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Plunk version is below 0.7.1 and test if SVG files with JavaScript can be uploaded and executed

Check Version:

Check Plunk configuration or package.json for version information

Verify Fix Applied:

Verify Plunk version is 0.7.1 or later and test that SVG files with JavaScript are either rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed upload attempts with SVG files
Requests to image upload endpoint with SVG content

Network Indicators:

HTTP POST requests to upload endpoints with SVG content-type
Base64 encoded SVG payloads in requests

SIEM Query:

source="plunk" AND (uri_path="/upload" OR uri_path="/image/upload") AND (content_type="image/svg+xml" OR file_extension="svg")

📊 Metadata

CVE ID: CVE-2026-32095

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 11, 2026

Last Updated: March 16, 2026

🔗 References

https://github.com/useplunk/plunk/security/advisories/GHSA-69jg-7493-cx5x Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-32095, you might also want to check these: