Volerion logoVolerion
Volerion logoVolerion

Canarytokens Self Cross-Site Scripting Vulnerability in PWA Token

Vulnerability

A self cross-site scripting vulnerability has been identified in the "PWA" Canarytoken, affecting versions prior to sha-7ff0e12. This issue allows the creator of a PWA Canarytoken to inject JavaScript into the title field. When the creator accesses the installation page for their token, the injected JavaScript executes. This self-XSS vulnerability could be exploited by sending the installation link to a victim, who would unknowingly execute the JavaScript. However, no sensitive information, such as session data, would be disclosed to the attacker.

Impact

Exploitation of this vulnerability allows for self cross-site scripting, where injected JavaScript is executed in the context of the user who created the Canarytoken.

Remediation

Users of self-hosted Canarytokens installations can update by pulling the latest Docker image or any Docker image after sha-7ff0e12.

Added: Feb 27, 2026, 9:21 PM
Updated: Feb 27, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.7
exploitability
2.8
remediation
7.9
relevance
3.3
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.