CVE Catalog

CVE-2026-13140

LowCVSS 1.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

CVE-2026-13140 involves stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens. Anonymous exploitation requires knowledge of a random identifier.

Risk Assessment

Organizations may be vulnerable to XSS attacks that could lead to data theft or session hijacking. The exposure of API keys may also result in unauthorized access to AWS resources.

Recommendation

It is recommended to update to Canarytokens version after sha-f5aa5c4e and secure API keys from unauthorized access.

Original NVD description (English source)

Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens. Anonymous exploitation requires knowledge of a random identifier. This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS