HTML injection in the Canarytoken Google Chat notification
Summary
| CVE | CVE-2026-12888 |
|---|---|
| State | PUBLISHED |
| Assigner | ThinkstAppliedResearch |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 14:16:34 UTC |
| Updated | 2026-06-23 15:42:44 UTC |
| Description | An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd. |
Risk And Classification
Primary CVSS: v4.0 2 LOW from 0f2be0ad-3469-4e56-b38f-4eb96719b425
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:Green
EPSS: 0.002860000 probability, percentile 0.203290000 (date 2026-06-28)
Problem Types: CWE-74 | CWE-74 CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 0f2be0ad-3469-4e56-b38f-4eb96719b425 | Secondary | 2 | LOW | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/C... |
| 4.0 | CNA | CVSS | 2 | LOW | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/A... |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
ActiveConfidentiality
NoneIntegrity
NoneAvailability
NoneSub Conf.
NoneSub Integrity
LowSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:Green
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Thinkst Applied Research | Canarytokens | affected sha-4aef1db90 sha-8ab4dccd custom | Not specified |
| CNA | Thinkst Applied Research | Canarytokens | affected 4aef1db90 8ab4dccd git | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65 | 0f2be0ad-3469-4e56-b38f-4eb96719b425 | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: GitHub.com/geo-chen (en)
Additional Advisory Data
Solutions
CNA: Pull the latest Docker image: $ docker pull thinkst/canarytokens:latest
There are currently no legacy QID mappings associated with this CVE.