CVE-2026-12888

UNKNOWN 0.0

HTML injection in the Canarytoken Google Chat notification

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.

CWE	CWE-74
Vendor	thinkst applied research
Product	canarytokens
Published	Jun 22, 2026
Last Updated	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for thinkst applied research canarytokens

Be the first to know when new unknown vulnerabilities affecting thinkst applied research canarytokens are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Thinkst Applied Research / Canarytokens

sha-4aef1db90 < sha-8ab4dccd 4aef1db90 < 8ab4dccd

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65

Credits

GitHub.com/geo-chen