{"cve":{"cve_id":"CVE-2026-12888","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00286,"epss_percentile":0.20162,"epss_as_of":"2026-06-23","description":"An HTML injection vulnerability exists in the Google Chat webhook notification  sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links.\n\n\nThis issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd.","published_at":"2026-06-22T13:05:53.827000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":2.0,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P/AU:N/RE:L/U:Green","cvss_v4_severity":"LOW","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-74"],"nvd_references":["https://github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:28:57.643719Z"},"effective_severity":"LOW","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"A","value_label":"Active"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"L","value_label":"Low"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"},{"metric":"E","name":"E","value":"P","value_label":"Physical"},{"metric":"AU","name":"AU","value":"N","value_label":"None"},{"metric":"RE","name":"RE","value":"L","value_label":"Low"},{"metric":"U","name":"U","value":"Green","value_label":"Green"}]},"affected":[{"vendor_slug":"thinkst-applied-research","vendor_name":"Thinkst Applied Research","product_slug":"canarytokens","product_name":"Canarytokens","version_start":"sha-4aef1db90","version_start_inclusive":true,"version_end":"sha-8ab4dccd","version_end_inclusive":false,"cpe23_uri":"cve5:thinkst-applied-research:canarytokens:sha-4aef1db90:sha-8ab4dccd"},{"vendor_slug":"thinkst-applied-research","vendor_name":"Thinkst Applied Research","product_slug":"canarytokens","product_name":"Canarytokens","version_start":"4aef1db90","version_start_inclusive":true,"version_end":"8ab4dccd","version_end_inclusive":false,"cpe23_uri":"cve5:thinkst-applied-research:canarytokens:4aef1db90:8ab4dccd"}],"exploit_refs":[],"news":[],"references":[{"url":"https://github.com/thinkst/canarytokens/security/advisories/GHSA-vcfc-7466-8q65","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2026-06-22T13:05:53.827000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"}]}