CVE-2026-35571

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/NationalSecurityAgency/emissary/pull/1293	Patch
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp	Exploit Third Party Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:nsa:emissary:*:*:*:*:*:*:*:*

History

27 Apr 2026, 14:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nsa:emissary::::::::
References	~~() https://github.com/NationalSecurityAgency/emissary/pull/1293 -~~	() https://github.com/NationalSecurityAgency/emissary/pull/1293 - Patch
References	~~() https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp -~~	() https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp - Exploit, Third Party Advisory, Mitigation
First Time		Nsa Nsa emissary

07 Apr 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 16:16

Updated : 2026-04-27 14:37

NVD link : CVE-2026-35571

Mitre link : CVE-2026-35571

CVE.ORG link : CVE-2026-35571

JSON object : View

Products Affected

nsa

emissary

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10