Interactsh server settings make users vulnerable to Subdomain Takeover
Description
Interactsh is an open-source tool for detecting out-of-band interactions. Domains configured with interactsh server prior to version 1.0.0 were vulnerable to subdomain takeover for a specific subdomain, i.e app. Interactsh server used to create cname entries for app pointing to projectdiscovery.github.io as default, which intended to used for hosting interactsh web client using GitHub pages. This is a security issue with a self-hosted interactsh server in which the user may not have configured a web client but still have a CNAME entry pointing to GitHub pages, making them vulnerable to subdomain takeover. This allows a threat actor to host / run arbitrary client side code (cross-site scripting) in a user's browser when browsing the vulnerable subdomain. Version 1.0.0 fixes this issue by making CNAME optional, rather than default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Interactsh servers before v1.0.0 had a default CNAME for the 'app' subdomain pointing to GitHub Pages, allowing subdomain takeover and XSS attacks.
Interactsh is an open-source tool for detecting out-of-band interactions. In versions prior to 1.0.0, the self-hosted server automatically created a CNAME record for the app subdomain pointing to projectdiscovery.github.io, intended for hosting the web client via GitHub Pages [1][2]. However, if the user did not configure a web client, the CNAME entry remained, exposing the subdomain to takeover [4].
An attacker can claim the projectdiscovery.github.io domain on GitHub Pages and host arbitrary content. When a victim visits the vulnerable subdomain (e.g., app.), the attacker's content executes in the victim's browser, enabling cross-site scripting (XSS) attacks [3][4]. This attack is trivial to perform and leaves no traces for the domain owner [3].
The impact includes running arbitrary client-side code, stealing cookies, credentials, or performing phishing attacks. The attacker can completely impersonate the legitimate site, potentially compromising user accounts and damaging credibility [3].
The issue is fixed in Interactsh server v1.0.0, which makes the CNAME optional rather than default [4]. Users should update to the latest version using go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-server@latest. No workaround exists for earlier versions [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/projectdiscovery/interactshGo | < 1.0.0 | 1.0.0 |
Affected products
2- projectdiscovery/interactshv5Range: < 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-m36x-mgfh-8g78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36474ghsaADVISORY
- github.com/projectdiscovery/interactsh/issues/136ghsax_refsource_MISCWEB
- github.com/projectdiscovery/interactsh/pull/155ghsax_refsource_MISCWEB
- github.com/projectdiscovery/interactsh/security/advisories/GHSA-m36x-mgfh-8g78ghsax_refsource_CONFIRMWEB
- labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-moreghsaWEB
- labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.