PT-2026-22402 · Canarytokens · Canarytokens Pwa
Arkmarta
·
Published
2026-02-27
·
Updated
2026-02-28
·
CVE-2026-28355
CVSS v4.0
1.3
Low
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Canarytokens versions prior to
sha-7ff0e12Description
The Canarytokens PWA Canarytoken has a Self Cross-Site Scripting issue. A Canarytoken creator can execute Javascript code by inserting it into the title field of their PWA token. This allows the creator to attack themselves or anyone they share the link with. When a victim clicks on the installation link, the Javascript code executes. However, no sensitive information is disclosed to a malicious actor.
Recommendations
Update to a Docker image after
sha-7ff0e12 or pull the latest Docker image from Canarytokens.org.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Canarytokens Pwa