CVE-2026-34206 MEDIUM

CVE-2026-34206: Captcha Protect: Reflected XSS in challenge page via unsanitized destination rendered with text/template

Vendor Libops
Product captcha-protect
Weakness CWE-79 · XSS
Published March 31, 2026
Last update April 1, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted a client-supplied destination value and rendered it into HTML using Go's text/template. Because text/template does not perform contextual HTML escaping, an attacker could supply a crafted destination value that breaks out of the hidden input attribute and injects arbitrary script into the challenge page. This issue has been patched in version 1.12.2.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
April 1, 2026 Record updated