{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13140", "assignerOrgId": "0f2be0ad-3469-4e56-b38f-4eb96719b425", "state": "PUBLISHED", "assignerShortName": "ThinkstAppliedResearch", "dateReserved": "2026-06-24T08:36:28.448Z", "datePublished": "2026-06-24T11:12:17.073Z", "dateUpdated": "2026-06-24T12:20:09.343Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0f2be0ad-3469-4e56-b38f-4eb96719b425", "shortName": "ThinkstAppliedResearch", "dateUpdated": "2026-06-24T11:12:17.073Z"}, "title": "Stored Cross-Site Scripting in Canarytokens.org", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Thinkst Applied Research", "product": "Canarytokens", "versions": [{"status": "affected", "version": "sha-4116b92cb", "lessThan": "f5aa5c4e", "versionType": "custom"}, {"status": "affected", "version": "4116b92cb", "lessThan": "f5aa5c4e", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Stored Cross-Site Scripting in the exposed AWS API key store of\u00a0Thinkst Applied Research Canarytokens.\n\n\n\n\nAnonymous exploitation requires knowledge of a random identifier.\n\n\n\n\nThis issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>Stored Cross-Site Scripting in the exposed AWS API key store of&nbsp;<span>Thinkst Applied Research Canarytokens.</span></div><div><span><br></span></div><div><span>Anonymous exploitation requires knowledge of a random identifier.</span></div><div><span><br></span></div><div>This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.<span></span></div>"}]}], "references": [{"url": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-23pf-xjp2-48q6"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 1.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}], "solutions": [{"lang": "en", "value": "Pull the latest Docker image:\n\n\n$\u00a0docker pull thinkst/canarytokens:latest", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Pull the latest Docker image:<div><br></div><div><code>$&nbsp;docker pull thinkst/canarytokens:latest</code></div>"}]}], "credits": [{"lang": "en", "value": "Arkadiusz Marta", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T12:19:58.505826Z", "id": "CVE-2026-13140", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:20:09.343Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13140", "assignerOrgId": "0f2be0ad-3469-4e56-b38f-4eb96719b425", "state": "PUBLISHED", "assignerShortName": "ThinkstAppliedResearch", "dateReserved": "2026-06-24T08:36:28.448Z", "datePublished": "2026-06-24T11:12:17.073Z", "dateUpdated": "2026-06-24T12:20:09.343Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0f2be0ad-3469-4e56-b38f-4eb96719b425", "shortName": "ThinkstAppliedResearch", "dateUpdated": "2026-06-24T11:12:17.073Z"}, "title": "Stored Cross-Site Scripting in Canarytokens.org", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Thinkst Applied Research", "product": "Canarytokens", "versions": [{"status": "affected", "version": "sha-4116b92cb", "lessThan": "f5aa5c4e", "versionType": "custom"}, {"status": "affected", "version": "4116b92cb", "lessThan": "f5aa5c4e", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Stored Cross-Site Scripting in the exposed AWS API key store of\u00a0Thinkst Applied Research Canarytokens.\n\n\n\n\nAnonymous exploitation requires knowledge of a random identifier.\n\n\n\n\nThis issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>Stored Cross-Site Scripting in the exposed AWS API key store of&nbsp;<span>Thinkst Applied Research Canarytokens.</span></div><div><span><br></span></div><div><span>Anonymous exploitation requires knowledge of a random identifier.</span></div><div><span><br></span></div><div>This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.<span></span></div>"}]}], "references": [{"url": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-23pf-xjp2-48q6"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 1.1, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}], "solutions": [{"lang": "en", "value": "Pull the latest Docker image:\n\n\n$\u00a0docker pull thinkst/canarytokens:latest", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Pull the latest Docker image:<div><br></div><div><code>$&nbsp;docker pull thinkst/canarytokens:latest</code></div>"}]}], "credits": [{"lang": "en", "value": "Arkadiusz Marta", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-13140", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-24T12:19:58.505826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:20:03.611Z"}}]}}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[sha-4116b92cb,f5aa5c4e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4116b92cb,f5aa5c4e)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Canarytokens", "source": "cna", "vendor": "Thinkst Applied Research"}, "product": "canarytokens", "vendor": "thinkst_applied_research"}], "created": "2026-06-24T14:00:07.548213+00:00", "updated": "2026-06-24T15:15:04.531493+00:00", "vendors": ["thinkst_applied_research", "thinkst_applied_research$PRODUCT$canarytokens"]}