CVE-2026-11859

UNKNOWN 0.0

HTML injection in the Canarytoken links email

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c0f3cf142 before sha-08c3f93d, from Git commit c0f3cf142 before 08c3f93d.

CWE	CWE-74
Vendor	thinkst applied research
Product	canarytokens
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for thinkst applied research canarytokens

Be the first to know when new unknown vulnerabilities affecting thinkst applied research canarytokens are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Thinkst Applied Research / Canarytokens

sha-c0f3cf142 < sha-08c3f93d c0f3cf142 < 08c3f93d

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thinkst/canarytokens/security/advisories/GHSA-55jf-cqr9-r7p4

Credits

Arkadiusz Marta