Vulnerability-Lookup

CVE-2026-35571 (GCVE-0-2026-35571)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:26 – Updated: 2026-04-08 14:57

Title

Emissary has Stored XSS via Navigation Template Link Injection

Summary

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/NationalSecurityAgency/emissar…	x_refsource_CONFIRM
	https://github.com/NationalSecurityAgency/emissar…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	NationalSecurityAgency	emissary	Affected: < 8.39.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35571",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T14:56:55.066521Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T14:57:05.392Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "emissary",
          "vendor": "NationalSecurityAgency",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.39.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T15:26:30.391Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"
        },
        {
          "name": "https://github.com/NationalSecurityAgency/emissary/pull/1293",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NationalSecurityAgency/emissary/pull/1293"
        }
      ],
      "source": {
        "advisory": "GHSA-cpm7-cfpx-3hvp",
        "discovery": "UNKNOWN"
      },
      "title": "Emissary has Stored XSS via Navigation Template Link Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35571",
    "datePublished": "2026-04-07T15:26:30.391Z",
    "dateReserved": "2026-04-03T20:09:02.826Z",
    "dateUpdated": "2026-04-08T14:57:05.392Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-35571",
      "date": "2026-04-15",
      "epss": "0.00029",
      "percentile": "0.08084"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-35571\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-07T16:16:29.920\",\"lastModified\":\"2026-04-08T21:27:00.663\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/NationalSecurityAgency/emissary/pull/1293\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35571\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T14:56:55.066521Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T14:57:00.714Z\"}}], \"cna\": {\"title\": \"Emissary has Stored XSS via Navigation Template Link Injection\", \"source\": {\"advisory\": \"GHSA-cpm7-cfpx-3hvp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"NationalSecurityAgency\", \"product\": \"emissary\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 8.39.0\"}]}], \"references\": [{\"url\": \"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp\", \"name\": \"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/NationalSecurityAgency/emissary/pull/1293\", \"name\": \"https://github.com/NationalSecurityAgency/emissary/pull/1293\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-07T15:26:30.391Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-35571\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T14:57:05.392Z\", \"dateReserved\": \"2026-04-03T20:09:02.826Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-07T15:26:30.391Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-35571

Vulnerability from fkie_nvd - Published: 2026-04-07 16:16 - Updated: 2026-04-08 21:27

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/pull/1293
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0."
    }
  ],
  "id": "CVE-2026-35571",
  "lastModified": "2026-04-08T21:27:00.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T16:16:29.920",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1293"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-CPM7-CFPX-3HVP

Vulnerability from github – Published: 2026-04-07 20:17 – Updated: 2026-04-07 20:17

Summary

Emissary has Stored XSS via Navigation Template Link Injection

Details

Summary

Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface.

Details

Vulnerable code — `nav.mustache` (line 10)

{{#navItems}}
<li class="nav-item">
  <a class="nav-link" href="{{link}}">{{display}}</a>
</li>
{{/navItems}}

The {{link}} value was rendered without any scheme validation. Mustache's default HTML escaping protects against injection of new HTML tags but does not prevent javascript: URIs in href attributes, since javascript: contains no characters that HTML-escaping would alter.

Attack vector

An administrator sets a navigation item's link to:

javascript:alert(document.cookie)

Any authenticated user who clicks the navigation link executes the script in their browser context.

Impact

Session hijacking via cookie theft
Actions performed on behalf of the victim user
Requires administrative access to modify navigation configuration
Requires user interaction (clicking the malicious link)

Mitigating factors

Exploitation requires administrative access to modify the navItems configuration
User interaction (clicking the link) is required
The Emissary web interface is typically accessed only by authenticated operators within a trusted network

Remediation

Fixed in PR #1293, merged into release 8.39.0.

Server-side link validation — `NavAction.java`

An allowlist regex was added that only permits http://, https://, or site-relative (/) URLs:

private static final Pattern VALID_LINK = Pattern.compile("^(https?:/)?/.*");

private static boolean isValidLink(String link) {
    if (!VALID_LINK.matcher(link).matches()) {
        logger.warn("Skipping invalid navigation link '{}'", link);
        return false;
    }
    return true;
}

Invalid links are logged and silently dropped from the rendered navigation.

Template hardening — `nav.mustache`

Added rel="noopener noreferrer" to all navigation link anchor tags as a defense-in-depth measure:

<a class="nav-link" href="{{link}}" rel="noopener noreferrer">{{display}}</a>

Tests were added to verify that javascript: and ftp:// URIs are rejected while http://, https://, and site-relative (/path) links are accepted.

Workarounds

If upgrading is not immediately possible, audit the navigation configuration to ensure all navItems link values use only http://, https://, or relative (/) URL schemes.

References

PR #1293 — validate nav links
Original report: GHSA-wjqm-p579-x3ww

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.38.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "gov.nsa.emissary:emissary"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T20:17:14Z",
    "nvd_published_at": "2026-04-07T16:16:29Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nMustache navigation templates interpolated configuration-controlled link values\ndirectly into `href` attributes without URL scheme validation. An administrator\nwho could modify the `navItems` configuration could inject `javascript:` URIs,\nenabling stored cross-site scripting (XSS) against other authenticated users\nviewing the Emissary web interface.\n\n## Details\n\n### Vulnerable code \u2014 `nav.mustache` (line 10)\n\n```html\n{{#navItems}}\n\u003cli class=\"nav-item\"\u003e\n  \u003ca class=\"nav-link\" href=\"{{link}}\"\u003e{{display}}\u003c/a\u003e\n\u003c/li\u003e\n{{/navItems}}\n```\n\nThe `{{link}}` value was rendered without any scheme validation. Mustache\u0027s\ndefault HTML escaping protects against injection of new HTML tags but does\n**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`\ncontains no characters that HTML-escaping would alter.\n\n### Attack vector\n\nAn administrator sets a navigation item\u0027s link to:\n```\njavascript:alert(document.cookie)\n```\n\nAny authenticated user who clicks the navigation link executes the script in\ntheir browser context.\n\n### Impact\n\n- Session hijacking via cookie theft\n- Actions performed on behalf of the victim user\n- Requires administrative access to modify navigation configuration\n- Requires user interaction (clicking the malicious link)\n\n### Mitigating factors\n\n- Exploitation requires administrative access to modify the `navItems`\n  configuration\n- User interaction (clicking the link) is required\n- The Emissary web interface is typically accessed only by authenticated\n  operators within a trusted network\n\n## Remediation\n\nFixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),\nmerged into release 8.39.0.\n\n### Server-side link validation \u2014 `NavAction.java`\n\nAn allowlist regex was added that only permits `http://`, `https://`, or\nsite-relative (`/`) URLs:\n\n```java\nprivate static final Pattern VALID_LINK = Pattern.compile(\"^(https?:/)?/.*\");\n\nprivate static boolean isValidLink(String link) {\n    if (!VALID_LINK.matcher(link).matches()) {\n        logger.warn(\"Skipping invalid navigation link \u0027{}\u0027\", link);\n        return false;\n    }\n    return true;\n}\n```\n\nInvalid links are logged and silently dropped from the rendered navigation.\n\n### Template hardening \u2014 `nav.mustache`\n\nAdded `rel=\"noopener noreferrer\"` to all navigation link anchor tags as a\ndefense-in-depth measure:\n\n```html\n\u003ca class=\"nav-link\" href=\"{{link}}\" rel=\"noopener noreferrer\"\u003e{{display}}\u003c/a\u003e\n```\n\nTests were added to verify that `javascript:` and `ftp://` URIs are rejected\nwhile `http://`, `https://`, and site-relative (`/path`) links are accepted.\n\n## Workarounds\n\nIf upgrading is not immediately possible, audit the navigation configuration\nto ensure all `navItems` link values use only `http://`, `https://`, or\nrelative (`/`) URL schemes.\n\n## References\n\n- [PR #1293 \u2014 validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)\n- Original report: GHSA-wjqm-p579-x3ww",
  "id": "GHSA-cpm7-cfpx-3hvp",
  "modified": "2026-04-07T20:17:14Z",
  "published": "2026-04-07T20:17:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35571"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NationalSecurityAgency/emissary"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emissary has Stored XSS via Navigation Template Link Injection"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-35571 (GCVE-0-2026-35571)

FKIE_CVE-2026-35571

GHSA-CPM7-CFPX-3HVP

Summary

Details

Vulnerable code — nav.mustache (line 10)

Attack vector

Impact

Mitigating factors

Remediation

Server-side link validation — NavAction.java

Template hardening — nav.mustache

Workarounds

References

Tags

Sightings

Nomenclature

Vulnerable code — `nav.mustache` (line 10)

Server-side link validation — `NavAction.java`

Template hardening — `nav.mustache`