{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350492?format=json","vulnerability_id":"VCID-d1zn-ry4s-cbff","summary":"Emissary has Stored XSS via Navigation Template Link Injection\n## Summary\n\nMustache navigation templates interpolated configuration-controlled link values\ndirectly into `href` attributes without URL scheme validation. An administrator\nwho could modify the `navItems` configuration could inject `javascript:` URIs,\nenabling stored cross-site scripting (XSS) against other authenticated users\nviewing the Emissary web interface.\n\n## Details\n\n### Vulnerable code — `nav.mustache` (line 10)\n\n```html\n{{#navItems}}\n<li class=\"nav-item\">\n  <a class=\"nav-link\" href=\"{{link}}\">{{display}}</a>\n</li>\n{{/navItems}}\n```\n\nThe `{{link}}` value was rendered without any scheme validation. Mustache's\ndefault HTML escaping protects against injection of new HTML tags but does\n**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`\ncontains no characters that HTML-escaping would alter.\n\n### Attack vector\n\nAn administrator sets a navigation item's link to:\n```\njavascript:alert(document.cookie)\n```\n\nAny authenticated user who clicks the navigation link executes the script in\ntheir browser context.\n\n### Impact\n\n- Session hijacking via cookie theft\n- Actions performed on behalf of the victim user\n- Requires administrative access to modify navigation configuration\n- Requires user interaction (clicking the malicious link)\n\n### Mitigating factors\n\n- Exploitation requires administrative access to modify the `navItems`\n  configuration\n- User interaction (clicking the link) is required\n- The Emissary web interface is typically accessed only by authenticated\n  operators within a trusted network\n\n## Remediation\n\nFixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),\nmerged into release 8.39.0.\n\n### Server-side link validation — `NavAction.java`\n\nAn allowlist regex was added that only permits `http://`, `https://`, or\nsite-relative (`/`) URLs:\n\n```java\nprivate static final Pattern VALID_LINK = Pattern.compile(\"^(https?:/)?/.*\");\n\nprivate static boolean isValidLink(String link) {\n    if (!VALID_LINK.matcher(link).matches()) {\n        logger.warn(\"Skipping invalid navigation link '{}'\", link);\n        return false;\n    }\n    return true;\n}\n```\n\nInvalid links are logged and silently dropped from the rendered navigation.\n\n### Template hardening — `nav.mustache`\n\nAdded `rel=\"noopener noreferrer\"` to all navigation link anchor tags as a\ndefense-in-depth measure:\n\n```html\n<a class=\"nav-link\" href=\"{{link}}\" rel=\"noopener noreferrer\">{{display}}</a>\n```\n\nTests were added to verify that `javascript:` and `ftp://` URIs are rejected\nwhile `http://`, `https://`, and site-relative (`/path`) links are accepted.\n\n## Workarounds\n\nIf upgrading is not immediately possible, audit the navigation configuration\nto ensure all `navItems` link values use only `http://`, `https://`, or\nrelative (`/`) URL schemes.\n\n## References\n\n- [PR #1293 — validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)\n- Original report: GHSA-wjqm-p579-x3ww","aliases":[{"alias":"CVE-2026-35571"},{"alias":"GHSA-cpm7-cfpx-3hvp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1055729?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.38.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d1zn-ry4s-cbff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.38.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35571","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07471","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07477","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07489","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07495","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08076","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08089","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08192","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08173","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08211","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08237","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09107","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35571"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1293","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:56:55Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1293"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:56:55Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35571","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35571"},{"reference_url":"https://github.com/advisories/GHSA-cpm7-cfpx-3hvp","reference_id":"GHSA-cpm7-cfpx-3hvp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpm7-cfpx-3hvp"}],"weaknesses":[{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d1zn-ry4s-cbff"}