Description
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.
Published: 2026-03-31
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Apply Patch
AI Analysis

Impact

The exploit permits injection of arbitrary JavaScript into the captcha challenge page via a client‑supplied destination parameter. Because the plugin uses Go’s text/template without HTML escaping, the input is reflected verbatim, allowing an attacker to execute scripts in the victim’s browser and potentially steal credentials. This is a reflected Cross‑Site Scripting vulnerability (CWE‑79).

Affected Systems

The vulnerability impacts the libops captcha‑protect Traefik middleware in all versions prior to 1.12.2. Any Traefik instance that enables this plugin on subnets experiencing traffic spikes is affected.

Risk and Exploitability

With a CVSS score of 6.1, the issue carries moderate severity, and an EPSS probability of less than 1% indicates low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be a browser‑based reflected XSS triggered when a malicious destination URL is injected into the challenge page, causing the page to execute the crafted script.

Generated by OpenCVE AI on April 7, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libops captcha‑protect to version 1.12.2 or later and redeploy the Traefik middleware.
  • Restart affected Traefik services to apply the patched plugin, ensuring configuration references the updated version.
  • Verify that the challenge page no longer echoes unsanitized destination parameters by testing with benign input.

Generated by OpenCVE AI on April 7, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Libops captcha Protect
CPEs cpe:2.3:a:libops:captcha_protect:*:*:*:*:*:traefik:*:*
Vendors & Products Libops captcha Protect

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Libops
Libops captcha-protect
Vendors & Products Libops
Libops captcha-protect

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.
Title Captcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Subscriptions

Libops Captcha-protect Captcha Protect
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:41:05.256Z

Reserved: 2026-03-26T15:57:52.323Z

Link: CVE-2026-34206

cve-icon Vulnrichment

Updated: 2026-04-01T18:41:01.615Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:28.830

Modified: 2026-06-17T10:38:38.983

Link: CVE-2026-34206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')