CVE-2026-34206
Received Received - Intake
Reflected XSS in Captcha Protect Middleware Before v

Publication date: 2026-03-31

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34206
EUVD
EUVD-2026-17602
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libops captcha_protect to 1.12.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34206 is a reflected cross-site scripting (XSS) vulnerability in the captcha-protect package, a Traefik middleware. The vulnerability occurs because the challenge page accepts a client-supplied "destination" parameter and renders it into HTML using Go's text/template package, which does not perform contextual HTML escaping. This allows an attacker to craft a destination value that breaks out of the hidden input attribute and injects arbitrary JavaScript into the challenge page.

When a victim visits a specially crafted challenge URL containing the malicious destination parameter, the injected script executes within the security context of the affected application origin, potentially compromising the user's session or data.

The vulnerability was fixed in version 1.12.2 by switching to Go's html/template package for proper HTML escaping, using a typed template data structure, and normalizing the destination parameter to accept only safe local paths.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the context of your application when users access a specially crafted challenge URL. This can lead to theft of sensitive information such as cookies or session tokens, manipulation of the webpage content, or other malicious actions performed on behalf of the user.

Because the attack requires user interaction (visiting a crafted URL), it can be exploited through phishing or social engineering techniques.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 6.1, indicating a significant risk but requiring user interaction and no privileges.

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of the captcha-protect Traefik middleware prior to version 1.12.2. Specifically, check if the challenge page accepts a client-supplied "destination" parameter that is rendered using Go's text/template package without proper HTML escaping.

You can detect attempts to exploit this vulnerability by monitoring HTTP requests to the /challenge URL that include suspicious or crafted destination parameters containing script tags or other injection payloads.

Suggested commands to detect the vulnerability or exploitation attempts include:

  • Use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests to the /challenge endpoint.
  • Use grep or similar tools on web server logs to search for suspicious destination parameters, e.g.:
  • grep -iE 'destination=.*<script|destination=.*\x3cscript' /var/log/traefik/access.log
  • Check the version of captcha-protect in use by inspecting your dependency or plugin version, for example:
  • grep captcha-protect /path/to/your/traefik/plugins or check your go.mod file for the version.
Mitigation Strategies

The primary and recommended mitigation is to upgrade captcha-protect to version 1.12.2 or later, where the vulnerability has been fixed.

If an immediate upgrade is not possible, the following workarounds can reduce risk:

  • Configure the captcha-protect plugin to perform inline challenges by setting `challengeURL: ""`. This disables the vulnerable external challenge page rendering.
  • Block direct access to crafted /challenge URLs from untrusted sources at the network or firewall level to prevent attackers from triggering the vulnerable challenge page.

Note that these workarounds do not fully replace patching, so upgrading remains the best solution.

Compliance Impact

The vulnerability is a reflected cross-site scripting (XSS) issue that allows an attacker to inject arbitrary JavaScript into the challenge page, potentially leading to unauthorized script execution within the security context of the affected application.

Such XSS vulnerabilities can impact compliance with standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or exposure of sensitive user data, compromise user privacy, and violate requirements for secure handling of personal information.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34206. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart