CVE-2026-12888
Received Received - Intake
HTML Injection in Thinkst Canarytokens via Google Chat Webhook

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: 0f2be0ad-3469-4e56-b38f-4eb96719b425

Description
An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12888
EUVD
EUVD-2026-38240
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
thinkst canarytokens From sha-4aef1db90 (inc) to sha-8ab4dccd (exc)
thinkst canarytokens From 4aef1db90 (inc) to 8ab4dccd (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows attackers to insert limited HTML content into Google Chat notifications, which can manipulate the interface and potentially deceive users by making malicious content appear legitimate.

However, the severity is considered low since it does not directly impact the confidentiality, integrity, or availability of the system.

Executive Summary

CVE-2026-12888 is an HTML injection vulnerability in the Google Chat notification feature of Thinkst Applied Research Canarytokens.

The issue allows attackers to inject malicious HTML elements, such as links and images, into Google Chat notifications by exploiting unescaped fields like the User-Agent and Referer headers.

This enables interface manipulation within a Google Chat session, making the injected content appear legitimate.

Detection Guidance

This vulnerability involves HTML injection in Google Chat webhook notifications sent by Thinkst Applied Research Canarytokens, specifically through unescaped fields such as User-Agent and Referer headers.

To detect this vulnerability on your system, you can monitor Google Chat webhook notifications for unexpected or suspicious HTML content, such as injected links or images that appear in notifications.

Since the vulnerability exploits unescaped HTTP headers, you can inspect incoming webhook requests for unusual or malicious HTML content in the User-Agent and Referer headers.

  • Use network traffic capture tools like tcpdump or Wireshark to capture webhook HTTP requests and analyze headers for suspicious HTML tags.
  • Example tcpdump command to capture HTTP traffic on port 80 or 443 (adjust as needed): sudo tcpdump -A -s 0 'tcp port 80 or tcp port 443'
  • Use curl or similar tools to manually send test requests with HTML content in User-Agent or Referer headers to see if the system reflects them in Google Chat notifications.
  • Example curl command to test injection: curl -H 'User-Agent: <a href="http://malicious.example">link</a>' -H 'Referer: <img src=x onerror=alert(1)>' https://your-canarytokens-webhook-url
Mitigation Strategies

The primary mitigation step is to update your Canarytokens installation to the latest patched version.

Specifically, update your Docker images to the version tagged sha-8ab4dccd or later, as this version contains the fix for the HTML injection vulnerability.

If you are using the hosted Canarytokens service, the issue has already been patched, so no further action is required.

Additionally, consider sanitizing or escaping any user-controllable input fields that are included in Google Chat notifications to prevent HTML injection.

Compliance Impact

The vulnerability is an HTML injection in Google Chat notifications that allows interface manipulation but does not directly impact confidentiality, integrity, or availability of the system.

Given its low severity and lack of direct impact on core security properties, there is no explicit indication that this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12888. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart