GHSA-cpm7-cfpx-3hvp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cpm7-cfpx-3hvp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cpm7-cfpx-3hvp/GHSA-cpm7-cfpx-3hvp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cpm7-cfpx-3hvp
- Aliases
-
- CVE-2026-35571
- Published
- 2026-04-07T20:17:14Z
- Modified
- 2026-04-07T20:32:51.555837Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Emissary has Stored XSS via Navigation Template Link Injection
- Details
-
Summary
Mustache navigation templates interpolated configuration-controlled link values directly into
hrefattributes without URL scheme validation. An administrator who could modify thenavItemsconfiguration could injectjavascript:URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface.Details
Vulnerable code —
nav.mustache(line 10){{#navItems}} <li class="nav-item"> <a class="nav-link" href="{{link}}">{{display}}</a> </li> {{/navItems}}The
{{link}}value was rendered without any scheme validation. Mustache's default HTML escaping protects against injection of new HTML tags but does not preventjavascript:URIs inhrefattributes, sincejavascript:contains no characters that HTML-escaping would alter.Attack vector
An administrator sets a navigation item's link to:
javascript:alert(document.cookie)Any authenticated user who clicks the navigation link executes the script in their browser context.
Impact
- Session hijacking via cookie theft
- Actions performed on behalf of the victim user
- Requires administrative access to modify navigation configuration
- Requires user interaction (clicking the malicious link)
Mitigating factors
- Exploitation requires administrative access to modify the
navItemsconfiguration - User interaction (clicking the link) is required
- The Emissary web interface is typically accessed only by authenticated operators within a trusted network
Remediation
Fixed in PR #1293, merged into release 8.39.0.
Server-side link validation —
NavAction.javaAn allowlist regex was added that only permits
http://,https://, or site-relative (/) URLs:private static final Pattern VALID_LINK = Pattern.compile("^(https?:/)?/.*"); private static boolean isValidLink(String link) { if (!VALID_LINK.matcher(link).matches()) { logger.warn("Skipping invalid navigation link '{}'", link); return false; } return true; }Invalid links are logged and silently dropped from the rendered navigation.
Template hardening —
nav.mustacheAdded
rel="noopener noreferrer"to all navigation link anchor tags as a defense-in-depth measure:<a class="nav-link" href="{{link}}" rel="noopener noreferrer">{{display}}</a>Tests were added to verify that
javascript:andftp://URIs are rejected whilehttp://,https://, and site-relative (/path) links are accepted.Workarounds
If upgrading is not immediately possible, audit the navigation configuration to ensure all
navItemslink values use onlyhttp://,https://, or relative (/) URL schemes.References
- PR #1293 — validate nav links
- Original report: GHSA-wjqm-p579-x3ww
- Database specific
{ "nvd_published_at": "2026-04-07T16:16:29Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-04-07T20:17:14Z" }- References
-
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp
- https://nvd.nist.gov/vuln/detail/CVE-2026-35571
- https://github.com/NationalSecurityAgency/emissary/pull/1293
- https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13
- https://github.com/NationalSecurityAgency/emissary
Affected packages
Maven / gov.nsa.emissary:emissary
Package
- Name
- gov.nsa.emissary:emissary
- View open source insights on deps.dev
- Purl
- pkg:maven/gov.nsa.emissary/emissary
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.39.0