VYPR
← All advisories
Low severityNVD Advisory· Published Jun 10, 2026

CVE-2026-11859

CVE-2026-11859

Description

HTML injection in Canarytokens allows interface manipulation and XSS in email clients by injecting HTML into notification emails.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HTML injection in Canarytokens allows interface manipulation and XSS in email clients by injecting HTML into notification emails.

Vulnerability

An HTML injection vulnerability exists in the "fetch links" email sent by Thinkst Applied Research Canarytokens. The memo field is included in the email without proper escaping, allowing for the injection of HTML. This issue affects Canarytokens versions from Docker tag sha-c0f3cf142 before sha-08c3f93d, and Git commit c0f3cf142 before 08c3f93d [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input for the memo field when creating a Canarytoken. When the "fetch links" email is sent and rendered by an email client that supports HTML, the injected HTML will be displayed. The scope of impact depends on the email client's capabilities to render HTML and strip potentially malicious elements [1].

Impact

Successful exploitation allows for interface manipulation and Cross-Site Scripting (XSS) within email clients that render HTML emails. At a minimum, an attacker can inject phishing links, additional HTML, and images into notification emails. The exact impact is dependent on the email client's HTML rendering capabilities [1].

Mitigation

This issue has been patched in Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image tagged latest (any image after sha-08c3f93d) [1].

References
  1. HTML injection in the Canarytoken links email

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Thinkst/Canarytokensinferred2 versions
    before 08c3f93d+ 1 more
    • (no CPE)range: before 08c3f93d
    • (no CPE)range: from Docker tag sha-c0f3cf142 before sha-08c3f93d, from Git commit c0f3cf142 before 08c3f93d

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.