Search for vulnerabilities
| Vulnerability ID | VCID-d1zn-ry4s-cbff |
| Aliases |
CVE-2026-35571
GHSA-cpm7-cfpx-3hvp |
| Summary | Emissary has Stored XSS via Navigation Template Link Injection ## Summary Mustache navigation templates interpolated configuration-controlled link values directly into `href` attributes without URL scheme validation. An administrator who could modify the `navItems` configuration could inject `javascript:` URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. ## Details ### Vulnerable code — `nav.mustache` (line 10) ```html {{#navItems}} <li class="nav-item"> <a class="nav-link" href="{{link}}">{{display}}</a> </li> {{/navItems}} ``` The `{{link}}` value was rendered without any scheme validation. Mustache's default HTML escaping protects against injection of new HTML tags but does **not** prevent `javascript:` URIs in `href` attributes, since `javascript:` contains no characters that HTML-escaping would alter. ### Attack vector An administrator sets a navigation item's link to: ``` javascript:alert(document.cookie) ``` Any authenticated user who clicks the navigation link executes the script in their browser context. ### Impact - Session hijacking via cookie theft - Actions performed on behalf of the victim user - Requires administrative access to modify navigation configuration - Requires user interaction (clicking the malicious link) ### Mitigating factors - Exploitation requires administrative access to modify the `navItems` configuration - User interaction (clicking the link) is required - The Emissary web interface is typically accessed only by authenticated operators within a trusted network ## Remediation Fixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293), merged into release 8.39.0. ### Server-side link validation — `NavAction.java` An allowlist regex was added that only permits `http://`, `https://`, or site-relative (`/`) URLs: ```java private static final Pattern VALID_LINK = Pattern.compile("^(https?:/)?/.*"); private static boolean isValidLink(String link) { if (!VALID_LINK.matcher(link).matches()) { logger.warn("Skipping invalid navigation link '{}'", link); return false; } return true; } ``` Invalid links are logged and silently dropped from the rendered navigation. ### Template hardening — `nav.mustache` Added `rel="noopener noreferrer"` to all navigation link anchor tags as a defense-in-depth measure: ```html <a class="nav-link" href="{{link}}" rel="noopener noreferrer">{{display}}</a> ``` Tests were added to verify that `javascript:` and `ftp://` URIs are rejected while `http://`, `https://`, and site-relative (`/path`) links are accepted. ## Workarounds If upgrading is not immediately possible, audit the navigation configuration to ensure all `navItems` link values use only `http://`, `https://`, or relative (`/`) URL schemes. ## References - [PR #1293 — validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293) - Original report: GHSA-wjqm-p579-x3ww |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.2 |
| Risk | 3.1 |
| Affected and Fixed Packages | Package Details |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.07471 |
| EPSS Score | 0.00027 |
| Published At | April 8, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-08T12:46:17.835519+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cpm7-cfpx-3hvp/GHSA-cpm7-cfpx-3hvp.json | 38.1.0 |