CVE-2024-41663
Description
Canarytokens help track activity and actions on a network. A Cross-Site Scripting vulnerability was identified in the "Cloned Website" Canarytoken, whereby the Canarytoken's creator can attack themselves. The creator of a slow-redirect Canarytoken can insert Javascript into the destination URL of their slow redirect token. When the creator later browses the management page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the management link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after sha-097d91a.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Self-XSS in Canarytokens' 'Cloned Website' token allows injecting JavaScript into the management page, but no sensitive data is leaked.
A Cross-Site Scripting (XSS) vulnerability was identified in the "Cloned Website" Canarytoken, specifically affecting the slow-redirect token type. The token creator can inject JavaScript into the destination URL of their slow redirect token. When the creator later views the management page for that token, the injected JavaScript executes, resulting in a self-XSS condition [1].
An attacker can create a malicious Canarytoken with the injected JavaScript and then send the management link to a victim. When the victim clicks the link, the JavaScript runs in their browser. However, the attacker does not gain access to sensitive information such as session cookies or other credentials. This is because the XSS only executes on the token's management page, and the attacker has no means to exfiltrate the victim's session data [1].
The impact is limited to the execution of arbitrary JavaScript in the context of the victim's session on the management page. The attacker cannot escalate privileges or access other parts of the application. This vulnerability has been patched on Canarytokens.org. Users running self-hosted Canarytokens installations can update by pulling the latest Docker image (any image after sha-097d91a) [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.