CVE-2026-34206

Name of the Vulnerable Software and Affected Versions Captcha Protect versions prior to 1.12.2

Description Captcha Protect is a Traefik middleware designed to add an anti-bot challenge to individual IPs within a subnet when traffic spikes are detected. A reflected cross-site scripting (XSS) issue exists in versions prior to 1.12.2. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value to inject arbitrary script into the challenge page. The vulnerability occurs because the application renders a client-supplied value into HTML without proper escaping.

Recommendations Update to version 1.12.2 or later.