{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34206", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.323Z", "datePublished": "2026-03-31T19:34:21.383Z", "dateUpdated": "2026-04-01T18:41:05.256Z"}, "containers": {"cna": {"title": "Captcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r"}, {"name": "https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f", "tags": ["x_refsource_MISC"], "url": "https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f"}, {"name": "https://github.com/libops/captcha-protect/releases/tag/v1.12.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/libops/captcha-protect/releases/tag/v1.12.2"}], "affected": [{"vendor": "libops", "product": "captcha-protect", "versions": [{"version": "< 1.12.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:34:21.383Z"}, "descriptions": [{"lang": "en", "value": "Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2."}], "source": {"advisory": "GHSA-ph62-4j5g-2q4r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:40:57.202868Z", "id": "CVE-2026-34206", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:41:05.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34206", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:40:57.202868Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:41:01.615Z"}}], "cna": {"title": "Captcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template", "source": {"advisory": "GHSA-ph62-4j5g-2q4r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "libops", "product": "captcha-protect", "versions": [{"status": "affected", "version": "< 1.12.2"}]}], "references": [{"url": "https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r", "name": "https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f", "name": "https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/libops/captcha-protect/releases/tag/v1.12.2", "name": "https://github.com/libops/captcha-protect/releases/tag/v1.12.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T19:34:21.383Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34206", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:41:05.256Z", "dateReserved": "2026-03-26T15:57:52.323Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T19:34:21.383Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libops:captcha_protect:*:*:*:*:*:traefik:*:*", "matchCriteriaId": "0521B194-E67A-4D35-B160-9410AE9668AA", "versionEndExcluding": "1.12.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2."}], "id": "CVE-2026-34206", "lastModified": "2026-04-07T15:59:28.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T20:16:28.830", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/libops/captcha-protect/releases/tag/v1.12.2"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "captcha-protect", "source": "cna", "vendor": "libops"}, "product": "captcha-protect", "vendor": "libops"}], "analysis": {"en": {"generated_at": "2026-04-07T23:09:06.650548+00:00", "value": {"mitigation_remediation": ["Upgrade libops captcha\u2011protect to version 1.12.2 or later and redeploy the Traefik middleware.", "Restart affected Traefik services to apply the patched plugin, ensuring configuration references the updated version.", "Verify that the challenge page no longer echoes unsanitized destination parameters by testing with benign input."], "summary": {"action": "Apply Patch", "impact": "Reflected XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the libops captcha\u2011protect Traefik middleware in all versions prior to 1.12.2. Any Traefik instance that enables this plugin on subnets experiencing traffic spikes is affected.", "description_and_impact": "The exploit permits injection of arbitrary JavaScript into the captcha challenge page via a client\u2011supplied destination parameter. Because the plugin uses Go\u2019s text/template without HTML escaping, the input is reflected verbatim, allowing an attacker to execute scripts in the victim\u2019s browser and potentially steal credentials. This is a reflected Cross\u2011Site Scripting vulnerability (CWE\u201179).", "risk_and_exploitability": "With a CVSS score of 6.1, the issue carries moderate severity, and an EPSS probability of less than 1% indicates low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be a browser\u2011based reflected XSS triggered when a malicious destination URL is injected into the challenge page, causing the page to execute the crafted script."}}}}, "created": "2026-04-02T07:53:06.824837+00:00", "updated": "2026-04-08T20:00:09.008129+00:00", "vendors": ["libops", "libops$PRODUCT$captcha-protect"]}