CVE-2026-11859
Awaiting Analysis Awaiting Analysis - Queue

HTML Injection in Thinkst Canarytokens Emails

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: 0f2be0ad-3469-4e56-b38f-4eb96719b425

Description
An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c0f3cf142 before sha-08c3f93d, from Git commit c0f3cf142 before 08c3f93d.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-11859
EUVD
EUVD-2026-36001

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
thinkst canarytokens From sha-c0f3cf142 (inc) to sha-08c3f93d (exc)
thinkst canarytokens From sha-08c3f93d (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection issue in the "fetch links" email sent by Thinkst Applied Research Canarytokens. It allows attackers to manipulate the interface and perform Cross-Site Scripting (XSS) attacks in email clients that render HTML emails.

The root cause is that the 'memo' field included in the links email is not properly escaped, enabling injection of malicious HTML content.

Depending on the recipient's email client, which often renders HTML, attackers can inject phishing links, additional HTML elements, and images into notification emails.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious content into notification emails you receive from Canarytokens.

  • Attackers can insert phishing links that may trick you into revealing sensitive information.
  • Additional HTML and images can be injected, potentially misleading or confusing recipients.

The actual impact depends on your email client's ability to render HTML and whether it strips out dangerous elements like script tags.

Detection Guidance

This vulnerability involves HTML injection in the 'fetch links' email sent by Thinkst Applied Research Canarytokens, specifically through the 'memo' field without proper escaping.

Detection involves inspecting the content of Canarytokens notification emails for unexpected or malicious HTML elements such as injected phishing links or additional HTML content.

Since the issue is in the email content, you can search for suspicious HTML or script tags in the emails generated by Canarytokens.

  • Use command-line tools like grep or ripgrep to search for suspicious HTML in email files or logs, for example: grep -i '<script' /path/to/emails/*
  • Check the 'memo' field content in the emails for unescaped HTML by extracting the emails and reviewing their raw content.
  • Monitor network traffic for Canarytokens email notifications and analyze the HTML content for injected elements.
Mitigation Strategies

The immediate mitigation step is to update Canarytokens to the latest patched version.

Specifically, self-hosted users should update their Docker image to sha-08c3f93d or later, as the vulnerability has been fixed in this version.

Additionally, review and sanitize any user input fields such as the 'memo' field to ensure proper escaping of HTML special characters to prevent injection.

If updating immediately is not possible, consider disabling or restricting the sending of 'fetch links' emails until the patch can be applied.

Compliance Impact

The provided information does not specify how this HTML injection vulnerability in Thinkst Applied Research Canarytokens impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart