CVE-2026-13140 PUBLISHED

Stored Cross-Site Scripting in Canarytokens.org

Assigner: ThinkstAppliedResearch
Reserved: 24.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens.

Anonymous exploitation requires knowledge of a random identifier.

This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 1.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	Low	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Vendor	Thinkst Applied Research
Product	Canarytokens
Versions	Default: unaffected affected from sha-4116b92cb to f5aa5c4e (excl.) affected from 4116b92cb to f5aa5c4e (excl.)

Pull the latest Docker image:

$ docker pull thinkst/canarytokens:latest

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE