CVE-2026-35571

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0

Description Emissary, a P2P based data-driven workflow engine, was found to have a stored cross-site scripting (XSS) issue. Prior to version 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without validating the URL scheme. An administrator with the ability to modify the navItems configuration could inject javascript: URIs, leading to XSS against authenticated users viewing the Emissary web interface. The vulnerable code is located in nav.mustache (line 10), where the {{link}} value is rendered without scheme validation. An attacker could set a navigation item's link to javascript:alert(document.cookie) to execute arbitrary JavaScript in the victim's browser context. Exploitation requires administrative access and user interaction (clicking the malicious link). The impact includes potential session hijacking via cookie theft and the ability to perform actions on behalf of the victim user.

Recommendations Upgrade to version 8.39.0 or later. If upgrading is not immediately possible, audit the navItems configuration to ensure all link values use only http://, https://, or relative (/) URL schemes.