VYPR
← All advisories
Low severityNVD Advisory· Published Feb 27, 2026· Updated Apr 15, 2026

CVE-2026-28355

CVE-2026-28355

Description

Canarytokens help track activity and actions on a network. Versions prior to sha-7ff0e12 have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with. The creator of a PWA Canarytoken can insert Javascript into the title field of their PWA token. When the creator later browses the installation page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the install link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after sha-7ff0e12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Canarytokens before sha-7ff0e12 have a self-XSS in the PWA token title field, allowing an attacker to trick a victim into executing JavaScript, but no sensitive data is leaked.

The vulnerability is a stored self-XSS in the PWA Canarytoken of Canarytokens prior to commit sha-7ff0e12. The creator of a PWA Canarytoken can insert arbitrary JavaScript into the title field, which is not sanitized. When the creator or anyone who clicks the installation link later views the installation page, the script executes in their browser [1].

To exploit this, an attacker creates a PWA Canarytoken with malicious JavaScript in the title and sends the installation link to a victim. No authentication or special network access is required beyond the ability to create tokens. When the victim clicks the link, the script runs in the context of the Canarytokens site [1].

The impact is limited to self-XSS; while arbitrary JavaScript executes, no sensitive information such as session cookies or tokens is disclosed to the attacker. This reduces the severity, as the attacker cannot extract data from the victim's session [1].

The issue is patched on Canarytokens.org. Users of self-hosted installations can fix by pulling the latest Docker image (any image after sha-7ff0e12) [1].

References
  1. Stored Self Cross-Site Scripting in the "PWA" Canarytoken

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.