Description
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with. The creator of a PWA Canarytoken can insert Javascript into the title field of their PWA token. When the creator later browses the installation page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the install link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after sha-7ff0e12.
Published: 2026-02-27
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Self-initiated script execution via PWA Canarytoken title field
Action: Patch
AI Analysis

Impact

Canarytokens include a self‑persistent web app (PWA) token that stores the title text in a database. Prior to commit sha‑7ff0e12 the title field was not sanitized, so a token creator could embed arbitrary JavaScript. When a user later opens the token’s installation page, the browser executes that JavaScript in that user’s context. Although the payload runs locally in the victim’s browser, the supplied description indicates it does not exfiltrate session identifiers or other sensitive data, so the impact is limited to arbitrary script execution without credential theft.

Affected Systems

The issue affects the thinkst:canarytokens product, specifically the PWA token type, in all releases before commit sha‑7ff0e12. Self‑hosted deployments that use older Docker images are also vulnerable.

Risk and Exploitability

The CVSS score is 1.3 and the EPSS probability is below 1 %. The vulnerability is not listed in the KEV catalog. Attackers would need to craft a token with malicious title content, share the installation link and convince a victim to click it. Because the payload runs only in the victim’s browser session and does not compromise server credentials, the overall exploitation likelihood remains low and the scope is limited to the victim’s local environment.

Generated by OpenCVE AI on April 16, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patched Docker image with SHA‑7ff0e12 or any newer image.
  • If running a self‑hosted Canarytokens instance, pull the latest image and redeploy the container.
  • Review and delete any existing PWA tokens whose titles contain injected JavaScript.
  • Configure or enforce title field sanitization to prevent future script injections.

Generated by OpenCVE AI on April 16, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Thinkst
Thinkst canarytokens
Vendors & Products Thinkst
Thinkst canarytokens

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with. The creator of a PWA Canarytoken can insert Javascript into the title field of their PWA token. When the creator later browses the installation page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the install link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after sha-7ff0e12.
Title "PWA" Canarytoken Vulnerable to Stored Self Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Thinkst Canarytokens
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:29:43.254Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28355

cve-icon Vulnrichment

Updated: 2026-03-03T20:29:40.550Z

cve-icon NVD

Status : Deferred

Published: 2026-02-27T21:16:19.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-28355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses