CVE-2026-12888 | An HTML injection vulnerability exists in the Google Chat we… | CVSS 2.0 LOW

Description

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.

Metadata

CVE ID: CVE-2026-12888
State: PUBLISHED
Assigner: ThinkstAppliedResearch
Reserved: 2026-06-22 10:56 UTC
Published: 2026-06-22 13:05 UTC
Last updated: 2026-06-22 15:42 UTC
Primary CWE: CWE-74
CWE-74: Improper Neutralization of Special Elements in Outpu…
Vendor / Product: Thinkst Applied Research / Canarytokens
Sources: cve.org · NVD

Severity & Metrics

2.0 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Thinkst Applied Research	Canarytokens	—	sha-4aef1db90 < sha-8ab4dccd, 4aef1db90 < 8ab4dccd

Weakness (CWE)

CWE	Source	Description
CWE-74	cna	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.0	LOW	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green

References (1)

https://github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65