Skip to main content

Captcha Protect EUVDEUVD-2026-17602

| CVE-2026-34206 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 GitHub_M
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.12.2
EUVD ID Assigned
Mar 31, 2026 - 19:47 euvd
EUVD-2026-17602
Analysis Generated
Mar 31, 2026 - 19:47 vuln.today
CVE Published
Mar 31, 2026 - 19:34 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.

AnalysisAI

Reflected cross-site scripting (XSS) in Captcha Protect versions prior to 1.12.2 allows unauthenticated remote attackers to inject arbitrary script into the anti-bot challenge page by supplying a crafted destination parameter. The vulnerability exploits unsafe use of Go's text/template library, which does not perform contextual HTML escaping, enabling attackers to break out of HTML attributes and execute malicious code in the context of users viewing the challenge page. This affects all Traefik middleware deployments using vulnerable versions of libops/captcha-protect.

Technical ContextAI

Captcha Protect is a Traefik middleware component designed to mitigate bot traffic by presenting a challenge page when traffic spikes are detected from specific subnets. The vulnerability resides in the challenge page rendering logic, where user-supplied destination values are embedded into HTML using Go's text/template package. Unlike html/template, which provides contextual autoescaping across HTML, JavaScript, CSS, and URL contexts, text/template performs no escaping whatsoever and is designed for plain-text output. The affected code path directly interpolates the destination parameter into an HTML attribute without sanitization, violating secure template practices. An attacker can craft a destination value containing payload sequences that break the attribute boundary (e.g., closing quotes and angle brackets) to inject script tags or event handlers. The CWE-79 classification confirms improper neutralization of input during web page generation, a classic XSS root cause.

RemediationAI

Upgrade Captcha Protect to version 1.12.2 or later, which includes the security patch. For Traefik users, this requires updating the captcha-protect dependency in their Traefik configuration or plugin repository and redeploying the middleware. The fix is available in the upstream release at https://github.com/libops/captcha-protect/releases/tag/v1.12.2, and the specific patch commit eef6211ecd1147273be484d913b81c68c0bd8d3f is referenced at https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f. The detailed advisory is available at https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r. Users unable to patch immediately should review and restrict which external parameters or referrers can trigger the challenge page to reduce attack surface.

Share

EUVD-2026-17602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy