CVE-2026-35571: Stored Cross-Site Scripting via Sink-Context Mismatch in Emissary Navigation Templates
Vulnerability ID: CVE-2026-35571
CVSS Score: 4.8
Published: 2026-04-07
Emissary versions prior to 8.39.0 are vulnerable to a stored cross-site scripting (XSS) flaw within the web interface's navigation rendering component. The Mustache templating engine interpolates administrative configuration values directly into anchor tag attributes without URI scheme validation, allowing the injection of JavaScript execution contexts.
TL;DR
Emissary lacks URI scheme validation in its navigation configuration layer. Administrators can inject javascript: pseudo-protocols into navigation items, leading to stored XSS against other authenticated users viewing the interface. Version 8.39.0 patches this by enforcing strict server-side regex validation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 4.8
- Impact: Stored XSS / Session Hijacking
- Exploit Status: PoC Required
- CISA KEV: False
Affected Systems
- Emissary versions prior to 8.39.0
-
emissary: < 8.39.0 (Fixed in:
8.39.0)
Code Analysis
Commit: e207841
Validation for navigation links to prevent javascript execution
Mitigation Strategies
- Upgrade to Emissary version 8.39.0 or later.
- Audit existing navItems configurations for malicious URI schemes.
- Restrict administrative access to Emissary configuration interfaces.
Remediation Steps:
- Review current Emissary deployment version.
- Download Emissary release 8.39.0 from the official repository.
- Deploy the updated application binary to the production environment.
- Review the application configuration logs for past suspicious modifications.
References
Read the full report for CVE-2026-35571 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)