Primary

Context

Plunk Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in Plunk, an open-source email platform that utilizes AWS SES. In versions prior to 0.7.1, the image upload endpoint allowed SVG files, which can execute embedded JavaScript, creating a risk of cross-site scripting. This issue has been addressed in version 0.7.1 by removing SVG from the list of permitted file types and implementing magic-byte validation to ensure uploaded files match their claimed image format.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files could execute JavaScript in the context of the user.

Remediation

Users can upgrade to Plunk version 0.7.1 or later to address this vulnerability.

Added: Mar 11, 2026, 8:22 PM

Updated: Mar 11, 2026, 8:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Plunk Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating