Description
Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens.




Anonymous exploitation requires knowledge of a random identifier.




This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.
Published: 2026-06-24
Score: 1.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the exposed AWS API key store of Thinkst Applied Research Canarytokens. When an attacker delivers a malicious payload that is persisted in the key store, subsequent retrieval of that key by a user causes the payload to execute in the victim’s browser. This can lead to cookie theft, session hijacking or arbitrary script execution within the context of the web application.

Affected Systems

Thinkst Applied Research Canarytokens is affected. Docker images tagged before sha-f5aa5c4e and Git commits before f5aa5c4e contain the flaw; all earlier releases up to the referenced identifiers are vulnerable.

Risk and Exploitability

The CVSS base score of 1.1 marks the vulnerability as low severity, and no EPSS data is available. It is not listed in CISA KEV, indicating no known public exploitation. The likely attack vector is an anonymous scenario, requiring knowledge of a random identifier used within the key store; based on the description it appears that the exploit is not publicly demonstrated but could be feasible if an attacker has access to a valid identifier.

Generated by OpenCVE AI on June 24, 2026 at 13:54 UTC.

Remediation

Vendor Solution

Pull the latest Docker image: $ docker pull thinkst/canarytokens:latest

OpenCVE Recommended Actions

  • Pull the latest Canarytokens Docker image using ‘docker pull thinkst/canarytokens:latest’
  • Stop all currently running Canarytokens containers
  • Remove the old containers and redeploy them with the new image
  • Restart the service to ensure the updated image is in use

Generated by OpenCVE AI on June 24, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens. Anonymous exploitation requires knowledge of a random identifier. This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.
Title Stored Cross-Site Scripting in Canarytokens.org
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ThinkstAppliedResearch

Published:

Updated: 2026-06-24T12:20:09.343Z

Reserved: 2026-06-24T08:36:28.448Z

Link: CVE-2026-13140

cve-icon Vulnrichment

Updated: 2026-06-24T12:20:03.611Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')