Medium severity4.8NVD Advisory· Published Apr 7, 2026· Updated Apr 27, 2026
CVE-2026-35571
CVE-2026-35571
Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gov.nsa.emissary:emissaryMaven | < 8.39.0 | 8.39.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/NationalSecurityAgency/emissary/pull/1293nvdPatchWEB
- github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvpnvdExploitThird Party AdvisoryMitigationWEB
- github.com/advisories/GHSA-cpm7-cfpx-3hvpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35571ghsaADVISORY
- github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13ghsaWEB
News mentions
0No linked articles in our index yet.