The vulnerability is an HTML injection issue in the notification emails generated for "Slow Redirect" and "Cloned Website" Canarytokens. When the token is triggered, the system sends an HTML email that contains the token information. Malicious content can be injected into the email body, allowing the attacker to execute arbitrary JavaScript or manipulate the page displayed by any email client that processes HTML. This weakness, classified as CWE‑74, can lead to interface manipulation and cross‑site scripting attacks in the email client context, potentially compromising the confidentiality or integrity of the message and enabling phishing or credential theft.

Only the Canarytokens product from Thinkst Applied Research is affected. The issue exists in Docker images built from the commit sha‑c42435e up through, but not including, sha‑bfda4df, and in any Git‑based deployment that incorporates the corresponding code range. Versions tagged earlier than sha‑bfda4df are vulnerable, while later revisions incorporate the fix.

The CVSS score of 1.2 indicates a low overall severity, but the lack of an EPSS value and absence from the CISA KEV catalog do not eliminate the risk of exploitation in environments where HTML email rendering is common. The vulnerability is exploitable by simply triggering a Canarytoken that sends the notification email; an attacker who receives the email can then exploit the injected content in their email client. Because the vector is client‑side, the impact is limited to recipients of the notification email rather than the server itself. Maintaining current images mitigates the risk.