Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.
AnalysisAI
Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.
Technical ContextAI
Captcha Protect is a Traefik middleware component designed to mitigate bot traffic by presenting a challenge page when traffic spikes are detected from specific subnets. The vulnerability resides in the challenge page rendering logic, where user-supplied destination values are embedded into HTML using Go's text/template package. Unlike html/template, which provides contextual autoescaping across HTML, JavaScript, CSS, and URL contexts, text/template performs no escaping whatsoever and is designed for plain-text output. The affected code path directly interpolates the destination parameter into an HTML attribute without sanitization, violating secure template practices. An attacker can craft a destination value containing payload sequences that break the attribute boundary (e.g., closing quotes and angle brackets) to inject script tags or event handlers. The CWE-79 classification confirms improper neutralization of input during web page generation, a classic XSS root cause.
RemediationAI
Upgrade Captcha Protect to version 1.12.2 or later, which includes the security patch. For Traefik users, this requires updating the captcha-protect dependency in their Traefik configuration or plugin repository and redeploying the middleware. The fix is available in the upstream release at https://github.com/libops/captcha-protect/releases/tag/v1.12.2, and the specific patch commit eef6211ecd1147273be484d913b81c68c0bd8d3f is referenced at https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f. The detailed advisory is available at https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r. Users unable to patch immediately should review and restrict which external parameters or referrers can trigger the challenge page to reduce attack surface.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17602