Platform
nodejs
Component
emissary
Fixed in
8.39.1
CVE-2026-35571 affects Emissary, a P2P workflow engine, where improperly validated Mustache navigation templates permit the injection of javascript: URIs into href attributes. This allows an administrator with configuration modification privileges to execute malicious scripts against other authenticated users accessing the Emissary web interface. The vulnerability impacts versions 0.0.0 through 8.38.9, but a patch is available in version 8.39.0.
CVE-2026-35571 affects Emissary, a P2P-based, data-driven workflow engine. Prior to version 8.39.0, Emissary directly interpolated configuration-controlled link values into 'href' attributes using Mustache navigation templates without proper URL scheme validation. This means an administrator who can modify the 'navItems' configuration could inject 'javascript:' URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. The CVSS score for this vulnerability is 4.8. The root cause is a lack of sanitization of input, allowing malicious code execution within the user's browser context.
An attacker would need access to modify the 'navItems' configuration of Emissary. This could be achieved if the attacker has compromised an administrator's account or found a vulnerability in the configuration management system. Once the attacker has modified the configuration, they can inject a malicious script into a navigation link. When another authenticated user clicks on this link, the script executes in their browser, allowing the attacker to steal cookies, redirect the user to a malicious website, or perform other malicious actions on behalf of the user.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The solution to CVE-2026-35571 is to upgrade Emissary to version 8.39.0 or later. This version includes URL scheme validation to prevent the injection of 'javascript:' URIs into 'href' attributes. Additionally, it’s recommended to review and harden access controls to the 'navItems' configuration to limit who can modify it. Implementing a Content Security Policy (CSP) can also help mitigate the impact of a potential XSS attack, even if the upgrade cannot be applied immediately. Regularly monitoring Emissary logs for suspicious activity is also a good security practice.
Actualice a la versión 8.39.0 o posterior para mitigar la vulnerabilidad. Esta versión implementa la validación del esquema de URL para prevenir la inyección de javascript: URIs en los atributos href de las plantillas de navegación.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
If you are using a version of Emissary prior to 8.39.0, you are likely affected. Verify your current version and upgrade as soon as possible.
The 'navItems' configuration defines the navigation elements displayed in the Emissary web interface.
A Content Security Policy (CSP) is an additional layer of security that allows administrators to control the resources that the browser is allowed to load for a web page.
Implementing a Content Security Policy (CSP) can help mitigate the risk, although it is not a complete solution. It is also recommended to carefully review the 'navItems' configuration and limit access to it.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.