CVE-2026-35571
published 2026-04-07CVE-2026-35571: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.18%
7.3th percentile
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nationalsecurityagency | emissary | < 8.39.0 | 8.39.0 |
| nsa | emissary | <= 8.38.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Emissary has Stored XSS via Navigation Template Link Injection
ghsa·2026-04-07
CVE-2026-35571 [MEDIUM] CWE-79 Emissary has Stored XSS via Navigation Template Link Injection
Emissary has Stored XSS via Navigation Template Link Injection
## Summary
Mustache navigation templates interpolated configuration-controlled link values
directly into `href` attributes without URL scheme validation. An administrator
who could modify the `navItems` configuration could inject `javascript:` URIs,
enabling stored cross-site scripting (XSS) against other authenticated users
viewing the Emissary web interface.
## Details
### Vulnerable code — `nav.mustache` (line 10)
```html
{{#navItems}}
{{display}}
{{/navItems}}
```
The `{{link}}` value was rendered without any scheme validation. Mustache's
default HTML escaping protects against injection of new HTML tags but does
**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`
contains no characters that
OSV
Emissary has Stored XSS via Navigation Template Link Injection
osv·2026-04-07
CVE-2026-35571 [MEDIUM] Emissary has Stored XSS via Navigation Template Link Injection
Emissary has Stored XSS via Navigation Template Link Injection
## Summary
Mustache navigation templates interpolated configuration-controlled link values
directly into `href` attributes without URL scheme validation. An administrator
who could modify the `navItems` configuration could inject `javascript:` URIs,
enabling stored cross-site scripting (XSS) against other authenticated users
viewing the Emissary web interface.
## Details
### Vulnerable code — `nav.mustache` (line 10)
```html
{{#navItems}}
{{display}}
{{/navItems}}
```
The `{{link}}` value was rendered without any scheme validation. Mustache's
default HTML escaping protects against injection of new HTML tags but does
**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`
contains no characters that
No detection rules found.
No public exploits indexed.
2026-04-07
Published