CVE Catalog

CVE-2026-12888

LowCVSS 2.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.

Risk Assessment

This vulnerability may lead to user interface manipulation, potentially resulting in fraud or phishing in the context of communication in Google Chat.

Recommendation

It is recommended to update Canarytokens to a version after sha-8ab4dccd to mitigate this vulnerability and to monitor webhook notifications for potential abuse.

Original NVD description (English source)

An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS