CVE-2026-28355 identifies a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 in the thinkst Canarytokens product, specifically within the Progressive Web App (PWA) Canarytoken implementation. The vulnerability exists because the application fails to properly sanitize or neutralize JavaScript code inserted into the title field of a PWA Canarytoken. An attacker or even the token creator can embed malicious JavaScript in this field. When the installation page for the Canarytoken is accessed by the creator or a recipient of the installation link, the injected script executes in the context of the browser. This is a self-XSS scenario, meaning the attacker must convince the victim to open the crafted link. Importantly, the vulnerability does not allow exfiltration of sensitive information such as session tokens or credentials, limiting its impact. The flaw affects versions prior to commit sha-7ff0e12, and has been patched in the official Canarytokens.org service. Self-hosted deployments need to update their Docker images to the latest version to remediate the issue. The vulnerability does not require privileges or authentication to exploit but does require user interaction (clicking the link). No known active exploitation has been reported.

The impact of CVE-2026-28355 is relatively low due to several mitigating factors. The vulnerability is a self-XSS, which inherently limits exploitation to scenarios where the victim is tricked into executing malicious scripts by clicking on a crafted link. There is no direct compromise of confidentiality, as no sensitive information such as session cookies or credentials is disclosed to the attacker. Integrity and availability impacts are minimal since the injected script runs only in the victim's browser context and does not affect server-side data or services. However, attackers could use this vulnerability for social engineering attacks, such as phishing or delivering malicious payloads within the browser session, potentially leading to further compromise if combined with other vulnerabilities or user actions. Organizations using Canarytokens for internal monitoring and deception should update promptly to avoid any risk of misuse or undermining trust in their detection mechanisms. Overall, the threat is low but should be addressed to maintain security hygiene.

To mitigate CVE-2026-28355, organizations should immediately update their Canarytokens installations to the patched version at or beyond commit sha-7ff0e12. For users of the official Canarytokens.org service, no action is required as the patch is already applied. Self-hosted deployments must pull the latest Docker image to ensure the fix is incorporated. Additionally, administrators should review and sanitize any existing PWA Canarytokens with custom titles to remove potentially malicious scripts. Implementing Content Security Policy (CSP) headers on the installation pages can further reduce the risk of script execution by restricting allowable sources of executable scripts. Educating users about the risks of clicking untrusted links, especially those related to internal security tools, will also help reduce the likelihood of exploitation. Finally, monitoring logs for unusual access patterns to Canarytoken installation pages can help detect attempted exploitation attempts.