CVE-2026-12888 · Symaro Security Advisory

Description

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.

Severity (CVSS)

Base score	2
Severity	Low
Version	CVSS 4.0
Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green
Provided by	CNA

Weaknesses

CWE-74 — CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected products

Vendor	Product	Versions
Thinkst Applied Research	Canarytokens	sha-4aef1db90 to <sha-8ab4dccd; 4aef1db90 to <8ab4dccd

References

https://github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.