HTML Injection Risk in Google Chat Notifications via Thinkst Canarytokens
CVE-2026-12888

2LOW

Key Information:

Vendor: Thinkst Applied Research
Status: Canarytokens
Vendor: CVE Published:; 22 June 2026

🔔 Create Thinkst Applied Research Vulnerability Alert

What is CVE-2026-12888?

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research's Canarytokens. This flaw allows attackers to manipulate the interface by injecting limited HTML content, including links, which could lead to further security risks. Users of affected Canarytokens versions should take immediate action to mitigate potential threats.

Affected Version(s)

Canarytokens sha-4aef1db90

Canarytokens 4aef1db90 < 8ab4dccd

References

https://github.com/thinkst/canarytokens/security/advisori...

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

GitHub.com/geo-chen

CVE-2026-12888 Data

JSON