CVE-2026-28355 is a Cross-Site Scripting (XSS) vulnerability categorized under CWE-79 affecting thinkst's Canarytokens product, specifically the Progressive Web App (PWA) Canarytoken implementation. Versions prior to commit sha-7ff0e12 allow improper neutralization of input during web page generation, enabling JavaScript injection into the token's title field. This vulnerability manifests as a self-XSS, meaning the token creator can inadvertently execute malicious scripts on their own browser when viewing the installation page. Additionally, an attacker could craft a malicious PWA Canarytoken with embedded JavaScript and send the installation link to a victim, causing script execution upon clicking. However, the vulnerability does not expose sensitive information such as session tokens or credentials to the attacker, limiting its impact. The flaw arises from insufficient input sanitization or encoding of user-supplied data in the token title field before rendering in the web interface. The vulnerability requires no privileges or authentication but does require user interaction (clicking the link). The issue is patched in the official Canarytokens.org service and in self-hosted installations by updating to Docker images post sha-7ff0e12. No known exploits have been observed in the wild, and the CVSS 4.0 base score is 1.3, reflecting low severity due to limited impact and exploitation complexity.

The impact of CVE-2026-28355 is limited due to its self-XSS nature and lack of sensitive data disclosure. Organizations using thinkst Canarytokens, especially self-hosted deployments, could face minor risks if attackers craft malicious PWA Canarytokens and trick users into clicking installation links. The vulnerability could lead to execution of arbitrary JavaScript in the context of the Canarytokens installation page, potentially enabling UI manipulation or phishing attempts within that page. However, since no session or authentication tokens are leaked, and the vulnerability requires user interaction, the risk of broader compromise or data exfiltration is minimal. The primary impact is on user trust and potential confusion or annoyance rather than critical security breaches. Nonetheless, attackers might leverage this vector in social engineering campaigns targeting security teams using Canarytokens. Organizations relying on Canarytokens for intrusion detection should patch promptly to maintain the integrity of their deception environment and avoid any risk of token misuse or user confusion.

To mitigate CVE-2026-28355, organizations should immediately update their Canarytokens installations to the latest version, specifically pulling Docker images at or after commit sha-7ff0e12 where the vulnerability is patched. For users of the official Canarytokens.org service, no action is required as the patch is already applied. Additionally, administrators should educate users about the risks of clicking untrusted Canarytoken installation links, especially those received from unknown or suspicious sources. Implementing Content Security Policy (CSP) headers on the Canarytokens web interface can further reduce the risk of script injection exploitation. Regular code reviews and input validation enhancements should be enforced to prevent similar injection flaws. Monitoring logs for unusual Canarytoken installation link accesses or unexpected script execution behaviors can help detect attempted exploitation. Finally, security teams should maintain awareness of updates from thinkst and apply patches promptly to minimize exposure.