Description

Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.

INFO

Published Date :

2026-03-31T19:34:21.383Z

Last Modified :

2026-04-01T18:41:05.256Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34206 vulnerability.

Vendors Products
Libops
  • Captcha-protect
  • Captcha Protect
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34206.

URL Resource
https://github.com/libops/captcha-protect/commit/eef6211ecd1147273be484d913b81c68c0bd8d3f cve-icon cve-icon
https://github.com/libops/captcha-protect/releases/tag/v1.12.2 cve-icon cve-icon
https://github.com/libops/captcha-protect/security/advisories/GHSA-ph62-4j5g-2q4r cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact