6.1
CVE-2026-34206
- EPSS 0.19%
- Veröffentlicht 31.03.2026 19:34:21
- Zuletzt bearbeitet 07.04.2026 15:59:28
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCaptcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template
Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Libops ≫ Captcha Protect SwPlatformtraefik Version < 1.12.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.084 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r
https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f
https://github.com/libops/captcha-protect/releases/tag/v1.12.2