HTML injection in the Canarytoken Google Chat notification_CVE-2026-12888

2 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green

Description

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.

This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.

Basic Information

ID CVE-2026-12888

Source ThinkstAppliedResearch

Published Jun 22, 2026 at 13:05

Affected Product

Vendor Thinkst Applied Research

Product Canarytokens

Version sha-4aef1db90

Affected Versions Thinkst Applied Research Canarytokens sha-4aef1db90
Thinkst Applied Research Canarytokens 4aef1db90

CWE Classification

CWE-74

References

github.com /thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65

{
    "lastseen": "",
    "description": "An HTML injection vulnerability exists in the Google Chat webhook notification\u00a0 sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.\n\n\nThis issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.",
    "published": "2026-06-22T13:05:53.827Z",
    "modified": "2026-06-22T13:05:53.827Z",
    "type": "cve",
    "title": "HTML injection in the Canarytoken Google Chat notification",
    "source": "ThinkstAppliedResearch",
    "references": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65",
    "id": "CVE-2026-12888",
    "bulletinFamily": "",
    "cwe": [
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "Thinkst Applied Research Canarytokens sha-4aef1db90\nThinkst Applied Research Canarytokens 4aef1db90",
    "sourceHref": "",
    "cvss": {
        "score": 2,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Canarytokens",
    "version": "sha-4aef1db90",
    "vendor": "Thinkst Applied Research",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}