Skip to main content

Canarytokens EUVDEUVD-2026-34085

| CVE-2026-10729 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-03 0f2be0ad-3469-4e56-b38f-4eb96719b425
1.2
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.2 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 03, 2026 - 14:31 vuln.today

DescriptionCVE.org

An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails.

This issue affects Canarytokens: from Docker tag sha-c42435e before sha-bfda4df, from Git commit c42435e before bfda4df.

AnalysisAI

HTML injection in Thinkst Applied Research Canarytokens notification emails for 'Slow Redirect' and 'Cloned Website' token types allows an attacker who triggers those tokens to embed arbitrary HTML and JavaScript into the alert email sent to the operator. If the recipient opens the notification in an HTML-rendering email client, the injected content executes within that client's context, enabling interface manipulation and XSS. This affects self-hosted Docker deployments between tag sha-c42435e and sha-bfda4df; a proof of concept exists (CVSS E:P), though no public exploit confirmed active exploitation and CISA KEV listing is absent.

Technical ContextAI

Canarytokens is a self-hosted honeypot platform by Thinkst Applied Research that generates alert emails when monitored tokens are triggered. The 'Slow Redirect' and 'Cloned Website' token types embed request-derived data (e.g., HTTP headers, user-agent, or referrer fields supplied by the triggering party) into notification email bodies. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection) identifies the root cause: attacker-controlled input from the triggering HTTP request is interpolated into email HTML without adequate escaping or sanitization, allowing raw HTML tags and script blocks to pass through into the rendered email. The vulnerability is specific to the self-hosted Docker deployment path; no CPE string was included in the advisory data.

RemediationAI

Update the self-hosted Canarytokens Docker deployment to image tag sha-bfda4df or any later commit, which represents the boundary of the fix per the affected version range in the advisory at https://github.com/thinkst/canarytokens/security/advisories/GHSA-hmjv-pj8j-8fg7. Note that the exact patched release tag sha-bfda4df is inferred from the advisory's affected-range boundary and has not been independently verified as a formally released artifact. If immediate patching is not feasible, configure email clients used by Canarytokens operators to display notifications in plain-text mode rather than rendering HTML - this prevents script execution at the cost of losing formatted email layout. Alternatively, route canary alert emails through a gateway that strips HTML before delivery; this trade-off may remove legitimate formatting from alerts. No further compensating controls are needed given the RE:L (low remediation effort) rating.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-34085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy