CVE-2026-35571
Received Received - Intake
Stored XSS via Unvalidated href in Emissary Navigation Templates

Publication date: 2026-04-07

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35571
EUVD
EUVD-2026-19724
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nsa emissary to 8.38.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker with administrative privileges to inject malicious javascript: URIs into navigation links, which can execute stored cross-site scripting (XSS) attacks against authenticated users. This can lead to session hijacking and potential unauthorized access to user data.

Such unauthorized access and potential data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure application behavior.

However, exploitation requires both administrative access and user interaction, and the Emissary interface is typically used within trusted networks by authenticated operators, which somewhat mitigates the risk.

The vulnerability was fixed by adding strict URL scheme validation and other security measures, reducing the risk of non-compliance due to this issue.

Executive Summary

CVE-2026-35571 is a stored cross-site scripting (XSS) vulnerability in the Emissary web interface versions up to 8.38.0. The issue occurs because Mustache navigation templates interpolate configuration-controlled link values directly into href attributes without validating the URL scheme. This allows an administrator who can modify the navItems configuration to inject malicious javascript: URIs into navigation links.

When an authenticated user clicks such a malicious link, the injected JavaScript executes in their browser, potentially leading to session hijacking or other malicious actions. The vulnerability requires both administrative privileges to modify navigation links and user interaction to trigger the script.

This vulnerability was fixed in Emissary version 8.39.0 by adding server-side validation to allow only safe URL schemes (http://, https://, or relative paths) and by hardening the navigation template with additional security attributes.

Impact Analysis

This vulnerability can impact you by allowing an attacker with administrative access to inject malicious JavaScript code into navigation links. When other authenticated users click these links, the malicious code executes in their browsers.

The potential impacts include session hijacking through cookie theft, which can compromise user accounts and lead to unauthorized access or actions within the Emissary web interface.

However, exploitation requires both high privileges (administrative access) and user interaction (clicking the malicious link), and the interface is typically accessed within trusted networks, which somewhat mitigates the risk.

Detection Guidance

This vulnerability can be detected by auditing the navItems configuration in the Emissary web interface to identify any navigation links that use unsafe URL schemes such as javascript: URIs.

Since the issue involves configuration-controlled link values interpolated into href attributes without URL scheme validation, you can search for navigation links containing 'javascript:' or other disallowed schemes.

Suggested commands include searching the configuration files or database entries where navItems are stored for suspicious URL schemes. For example, using grep on configuration files:

  • grep -r "javascript:" /path/to/emissary/config
  • grep -r "ftp://" /path/to/emissary/config

Additionally, reviewing the navItems configuration manually or via scripts to ensure all URLs start with http://, https://, or are site-relative paths (starting with /) can help detect the vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade Emissary to version 8.39.0 or later, where the vulnerability is fixed by server-side validation of navigation links.

If immediate upgrade is not possible, audit the navItems configuration to ensure that all navigation links use only allowed URL schemes: http://, https://, or site-relative paths starting with /.

Remove or replace any navigation links that contain javascript: URIs or other disallowed schemes to prevent stored cross-site scripting attacks.

As a defense-in-depth measure, ensure that navigation links include rel="noopener noreferrer" attributes to reduce the risk of malicious link exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart