CVE-2026-10729

Vulnerability

An HTML injection vulnerability exists in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens. The location field is included in the email without proper escaping. This issue affects Canarytokens from Docker tag sha-c42435e before sha-bfda4df, and from Git commit c42435e before bfda4df [1].

Exploitation

An attacker can introduce unescaped HTML into the notification email sent for these token types. The attacker needs to configure the "Slow Redirect" or "Cloned Website" Canarytoken with malicious HTML in the location field. The vulnerability is triggered when the notification email is sent and rendered by an email client [1].

Impact

This vulnerability enables Interface Manipulation and Cross-Site Scripting (XSS) within email clients that render HTML emails. At a minimum, an attacker can inject phishing links and images into notification emails. The full impact depends on the email client's capabilities to render HTML and strip malicious elements [1].

Mitigation

This issue is patched in Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, specifically any image after sha-bfda4df, such as thinkst/canarytokens:latest [1].