CVE-2026-10729
HTML Injection in Canarytokens Email Notification
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: 0f2be0ad-3469-4e56-b38f-4eb96719b425
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinkst | canarytokens | From sha-c42435e|end_excluding=sha-bfda4df (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-10729 is an HTML injection vulnerability in the notification emails sent by the "Slow Redirect" and "Cloned Website" Canarytokens in Thinkst Applied Research Canarytokens.
The vulnerability occurs because the 'location' field in these tokens is included in the emails without proper escaping, allowing attackers to inject unescaped HTML code.
Since many email clients render HTML content, this can enable Interface Manipulation and Cross-Site Scripting (XSS) within the email clients.
How can this vulnerability impact me? :
The impact depends on the email client's ability to render HTML content.
An attacker could inject malicious HTML such as phishing links or images into notification emails, potentially tricking users into interacting with harmful content.
This could lead to Interface Manipulation or Cross-Site Scripting attacks within the email client, which may compromise user security.
However, the severity is rated as low and the exploit requires user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves HTML injection in notification emails generated by the "Slow Redirect" and "Cloned Website" Canarytokens. Detection would involve inspecting these notification emails for unescaped HTML content in the 'location' field.
Since the issue is in the email content, you can detect it by reviewing the raw source of notification emails for suspicious or unescaped HTML tags in the 'location' field.
There are no specific commands provided to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Canarytokens deployment to the latest Docker image version after sha-bfda4df, where the issue has been patched.
If you are using the hosted Canarytokens.org service, the vulnerability has already been fixed.
Avoid interacting with suspicious notification emails that may contain injected HTML content.