CVE-2026-12888
Awaiting Analysis
Awaiting Analysis - Queue
HTML Injection in Thinkst Canarytokens via Google Chat Webhook
Vulnerability report for CVE-2026-12888, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-22
Last updated on: 2026-06-22
Assigner: 0f2be0ad-3469-4e56-b38f-4eb96719b425
Description
Description
An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.
This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thinkst | canarytokens | From sha-4aef1db90 (inc) to sha-8ab4dccd (exc) |
| thinkst | canarytokens | From 4aef1db90 (inc) to 8ab4dccd (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |