CVE-2026-34206
Reflected XSS in Captcha Protect Middleware Before v
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libops | captcha_protect | to 1.12.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34206 is a reflected cross-site scripting (XSS) vulnerability in the captcha-protect package, a Traefik middleware. The vulnerability occurs because the challenge page accepts a client-supplied "destination" parameter and renders it into HTML using Go's text/template package, which does not perform contextual HTML escaping. This allows an attacker to craft a destination value that breaks out of the hidden input attribute and injects arbitrary JavaScript into the challenge page.
When a victim visits a specially crafted challenge URL containing the malicious destination parameter, the injected script executes within the security context of the affected application origin, potentially compromising the user's session or data.
The vulnerability was fixed in version 1.12.2 by switching to Go's html/template package for proper HTML escaping, using a typed template data structure, and normalizing the destination parameter to accept only safe local paths.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of your application when users access a specially crafted challenge URL. This can lead to theft of sensitive information such as cookies or session tokens, manipulation of the webpage content, or other malicious actions performed on behalf of the user.
Because the attack requires user interaction (visiting a crafted URL), it can be exploited through phishing or social engineering techniques.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 6.1, indicating a significant risk but requiring user interaction and no privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running a vulnerable version of the captcha-protect Traefik middleware prior to version 1.12.2. Specifically, check if the challenge page accepts a client-supplied "destination" parameter that is rendered using Go's text/template package without proper HTML escaping.
You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the /challenge URL that include suspicious or crafted destination parameters containing script tags or other injection payloads.
Suggested commands to detect the vulnerability or exploitation attempts include:
- Use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests to the /challenge endpoint.
- Use grep or similar tools on web server logs to search for suspicious destination parameters, e.g.:
- grep -iE 'destination=.*<script|destination=.*\x3cscript' /var/log/traefik/access.log
- Check the version of captcha-protect in use by inspecting your dependency or plugin version, for example:
- grep captcha-protect /path/to/your/traefik/plugins or check your go.mod file for the version.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade captcha-protect to version 1.12.2 or later, where the vulnerability has been fixed.
If an immediate upgrade is not possible, the following workarounds can reduce risk:
- Configure the captcha-protect plugin to perform inline challenges by setting `challengeURL: ""`. This disables the vulnerable external challenge page rendering.
- Block direct access to crafted /challenge URLs from untrusted sources at the network or firewall level to prevent attackers from triggering the vulnerable challenge page.
Note that these workarounds do not fully replace patching, so upgrading remains the best solution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a reflected cross-site scripting (XSS) issue that allows an attacker to inject arbitrary JavaScript into the challenge page, potentially leading to unauthorized script execution within the security context of the affected application.
Such XSS vulnerabilities can impact compliance with standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or exposure of sensitive user data, compromise user privacy, and violate requirements for secure handling of personal information.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.