CVE-2026-13140

Summary

Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens.

Anonymous exploitation requires knowledge of a random identifier.

This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.

Affected Software

VendorProductVersion RangeStatus
Thinkst Applied ResearchCanarytokenssha-4116b92cb < f5aa5c4eaffected
Thinkst Applied ResearchCanarytokens4116b92cb < f5aa5c4eaffected

Weaknesses

  • CWE-79: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References