Skip to content

analytics

v3.2.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 19d Dashboards & Visualization
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

analytics analytics-dashboard clickhouse elixir google-analytics marketing
+14 more
open-source-analytics phoenix plausible-analytics postgresql privacy privacy-friendly self-hosted simple-analytics statistics tailwindcss web-analytics website-analytics website-stats website-tracking

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal
editorial:auto 9d

The vulnerable `/storybook` HTTP endpoint has been removed in Plausible Community Edition v3.2.1, eliminating the remote code execution risk.

Why it matters: Removal of the `/storybook` endpoint prevents remote code execution for affected versions (v3.2, v3.1, v3.0). Upgrade to v3.2.1 immediately.

Summary

AI summary

Removal of the vulnerable /storybook HTTP endpoint eliminates remote code execution risk.

Changes in this release

Security Medium

Removes vulnerable HTTP "/storybook" endpoint, preventing remote code execution.

Removes vulnerable HTTP "/storybook" endpoint, preventing remote code execution.

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

Security related update

This patch release fixes a security vulnerability affecting the following versions of Plausible Community Edition (image: ghcr.io/plausible/community-edition):
Tags:

  • v3.2
  • v3.2.0
  • v3
  • v3.2.0-rc.0
  • v3.1
  • v3.1.0
  • v3.1.0-rc.1
  • v3.1.0-rc.0
  • v3.0.1
  • v3.0
  • v3.0.0
  • v3.0.0-rc.6
  • v3.0.0-rc.5
  • v3.0.0-rc.4
  • v3.0.0-rc.3
  • v3.0.0-rc.2
  • v3.0.0-rc.1
  • v3.0.0-rc.0

The affected versions expose a HTTP "/storybook" endpoint which, under certain conditions, allows remote code execution with privileges of system user running the application.

This release v3.2.1 of Plausible Community Edition completely removes that endpoint.

Who is affected?

All deployments of Plausible Community Edition running the following versions:

  • v3.2
  • v3.2.0
  • v3
  • v3.2.0-rc.0
  • v3.1
  • v3.1.0
  • v3.1.0-rc.1
  • v3.1.0-rc.0
  • v3.0.1
  • v3.0
  • v3.0.0
  • v3.0.0-rc.6
  • v3.0.0-rc.5
  • v3.0.0-rc.4
  • v3.0.0-rc.3
  • v3.0.0-rc.2
  • v3.0.0-rc.1
  • v3.0.0-rc.0

where HTTP "/storybook" endpoint is exposed to a public or other untrusted network.

Mitigation

All affected versions of Plausible Community Edition should be updated to v3.2.1 as soon as possible.

As an immediate mitigation, it is recommended to block access to HTTP "/storybook" endpoint in your reverse proxy configuration or via other applicable means.

Changes in this release

  • Remove HTTP "/storybook" endpoint along with the associated logic

No other changes are included in this release.

Breaking Changes

  • Removal of the `/storybook` HTTP endpoint and its associated logic

Security Fixes

  • CVE-2026-XXXXX — Removal of the `/storybook` endpoint prevents remote code execution with privileges of the running system user.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track analytics

Get notified when new releases ship.

Sign up free

About analytics

Simple, open source, lightweight and privacy-friendly web analytics alternative to Google Analytics.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]