Description
An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.


This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.
Published: 2026-06-22
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An HTML injection flaw exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, allowing an attacker to embed a limited set of HTML elements, such as links, into messages displayed in Google Chat. The injected content can manipulate the interface, potentially redirect users to malicious sites or present misleading information, but it does not provide direct code execution or broader system compromise. The risk is primarily in facilitating phishing or social engineering attacks within the chat environment.

Affected Systems

The affected product is Thinkst Applied Research Canarytokens. All Docker images tagged with sha‑4aef1db90 or earlier, and any Git commit from 4aef1db90 up to but not including 8ab4dccd, are vulnerable. Updating to images tagged sha‑8ab4dccd or later resolves the vulnerability.

Risk and Exploitability

The CVSS score is 2, indicating low severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is the Google Chat webhook; an attacker would need to inject messages or otherwise control a Canarytokens instance. The exploitation potential is modest, with the primary threat being the delivery of malicious links to chat participants.

Generated by OpenCVE AI on June 22, 2026 at 14:50 UTC.

Remediation

Vendor Solution

Pull the latest Docker image: $ docker pull thinkst/canarytokens:latest


OpenCVE Recommended Actions

  • Pull the latest Canarytokens Docker image using 'docker pull thinkst/canarytokens:latest' and redeploy the container
  • Restart all Canarytokens services to ensure the new image is in use
  • Optionally configure the Google Chat webhook to sanitize or strip HTML from incoming messages if the platform supports such filtering

Generated by OpenCVE AI on June 22, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Thinkst Applied Research
Thinkst Applied Research canarytokens
Vendors & Products Thinkst Applied Research
Thinkst Applied Research canarytokens

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.
Title HTML injection in the Canarytoken Google Chat notification
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green'}


Subscriptions

Thinkst Applied Research Canarytokens
cve-icon MITRE

Status: PUBLISHED

Assigner: ThinkstAppliedResearch

Published:

Updated: 2026-06-22T15:42:35.858Z

Reserved: 2026-06-22T10:56:11.962Z

Link: CVE-2026-12888

cve-icon Vulnrichment

Updated: 2026-06-22T15:42:31.009Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T15:45:03Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')