CVE-2026-10729
Deferred Deferred - Pending Action
HTML Injection in Canarytokens Email Notification

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: 0f2be0ad-3469-4e56-b38f-4eb96719b425

Description
An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c42435e before sha-bfda4df, from Git commit c42435e before bfda4df.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-10729
EUVD
EUVD-2026-34085
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thinkst canarytokens From sha-c42435e|end_excluding=sha-bfda4df (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10729 is an HTML injection vulnerability in the notification emails sent by the "Slow Redirect" and "Cloned Website" Canarytokens in Thinkst Applied Research Canarytokens.

The vulnerability occurs because the 'location' field in these tokens is included in the emails without proper escaping, allowing attackers to inject unescaped HTML code.

Since many email clients render HTML content, this can enable Interface Manipulation and Cross-Site Scripting (XSS) within the email clients.

Impact Analysis

The impact depends on the email client's ability to render HTML content.

An attacker could inject malicious HTML such as phishing links or images into notification emails, potentially tricking users into interacting with harmful content.

This could lead to Interface Manipulation or Cross-Site Scripting attacks within the email client, which may compromise user security.

However, the severity is rated as low and the exploit requires user interaction.

Detection Guidance

This vulnerability involves HTML injection in notification emails generated by the "Slow Redirect" and "Cloned Website" Canarytokens. Detection would involve inspecting these notification emails for unescaped HTML content in the 'location' field.

Since the issue is in the email content, you can detect it by reviewing the raw source of notification emails for suspicious or unescaped HTML tags in the 'location' field.

There are no specific commands provided to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, update your Canarytokens deployment to the latest Docker image version after sha-bfda4df, where the issue has been patched.

If you are using the hosted Canarytokens.org service, the vulnerability has already been fixed.

Avoid interacting with suspicious notification emails that may contain injected HTML content.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10729. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart