CVE-2019-9768

HIGH

Thinkst Canarytokens <4e89ee0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9768. PoCs published by Benjamin Zink Loft_ Gionathan Reale.

AI-analyzed exploit summary This PHP script detects CanaryTokens in .docx files by analyzing the docProps/core.xml file for specific markers. It bypasses detection by suggesting opening the file in Protected View if a token is found.

Description

Thinkst Canarytokens through commit hash 4e89ee0 (2019-03-01) relies on limited variation in size, metadata, and timestamp, which makes it easier for attackers to estimate whether a Word document contains a token.

Exploits (1)

exploitdb WORKING POC

by Benjamin Zink Loft_ Gionathan Reale · phpdoswindows

https://www.exploit-db.com/exploits/46589

View Code ZIP pw:eip

This PHP script detects CanaryTokens in .docx files by analyzing the docProps/core.xml file for specific markers. It bypasses detection by suggesting opening the file in Protected View if a token is found.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Canarytokens up to 2019-03-01

No auth needed

Prerequisites: unzip utility · PHP environment

MITRE ATT&CK

T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/thinkst/canarytokens/issues/35

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46589/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/152182/Canarytokens-2019-03-01-Detection-Bypass.html

Scores

CVSS v3 7.5

EPSS 0.1168

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-264

Status published

Products (1)

thinkst/canarytokens < 2019-03-01

Published Mar 14, 2019

Tracked Since Feb 18, 2026