CVE-2026-12888

Summary

An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.

This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.

Affected Software

VendorProductVersion RangeStatus
Thinkst Applied ResearchCanarytokenssha-4aef1db90 < sha-8ab4dccdaffected
Thinkst Applied ResearchCanarytokens4aef1db90 < 8ab4dccdaffected

Weaknesses

  • CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References