CVE-2026-35571
Stored XSS via Unvalidated href in Emissary Navigation Templates
Publication date: 2026-04-07
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsa | emissary | to 8.38.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35571 is a stored cross-site scripting (XSS) vulnerability in the Emissary web interface versions up to 8.38.0. The issue occurs because Mustache navigation templates interpolate configuration-controlled link values directly into href attributes without validating the URL scheme. This allows an administrator who can modify the navItems configuration to inject malicious javascript: URIs into navigation links.
When an authenticated user clicks such a malicious link, the injected JavaScript executes in their browser, potentially leading to session hijacking or other malicious actions. The vulnerability requires both administrative privileges to modify navigation links and user interaction to trigger the script.
This vulnerability was fixed in Emissary version 8.39.0 by adding server-side validation to allow only safe URL schemes (http://, https://, or relative paths) and by hardening the navigation template with additional security attributes.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with administrative access to inject malicious JavaScript code into navigation links. When other authenticated users click these links, the malicious code executes in their browsers.
The potential impacts include session hijacking through cookie theft, which can compromise user accounts and lead to unauthorized access or actions within the Emissary web interface.
However, exploitation requires both high privileges (administrative access) and user interaction (clicking the malicious link), and the interface is typically accessed within trusted networks, which somewhat mitigates the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by auditing the navItems configuration in the Emissary web interface to identify any navigation links that use unsafe URL schemes such as javascript: URIs.
Since the issue involves configuration-controlled link values interpolated into href attributes without URL scheme validation, you can search for navigation links containing 'javascript:' or other disallowed schemes.
Suggested commands include searching the configuration files or database entries where navItems are stored for suspicious URL schemes. For example, using grep on configuration files:
- grep -r "javascript:" /path/to/emissary/config
- grep -r "ftp://" /path/to/emissary/config
Additionally, reviewing the navItems configuration manually or via scripts to ensure all URLs start with http://, https://, or are site-relative paths (starting with /) can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Emissary to version 8.39.0 or later, where the vulnerability is fixed by server-side validation of navigation links.
If immediate upgrade is not possible, audit the navItems configuration to ensure that all navigation links use only allowed URL schemes: http://, https://, or site-relative paths starting with /.
Remove or replace any navigation links that contain javascript: URIs or other disallowed schemes to prevent stored cross-site scripting attacks.
As a defense-in-depth measure, ensure that navigation links include rel="noopener noreferrer" attributes to reduce the risk of malicious link exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with administrative privileges to inject malicious javascript: URIs into navigation links, which can execute stored cross-site scripting (XSS) attacks against authenticated users. This can lead to session hijacking and potential unauthorized access to user data.
Such unauthorized access and potential data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure application behavior.
However, exploitation requires both administrative access and user interaction, and the Emissary interface is typically used within trusted networks by authenticated operators, which somewhat mitigates the risk.
The vulnerability was fixed by adding strict URL scheme validation and other security measures, reducing the risk of non-compliance due to this issue.