GHSA-CPM7-CFPX-3HVP
Vulnerability from github – Published: 2026-04-07 20:17 – Updated: 2026-04-07 20:17
VLAI?
Summary
Emissary has Stored XSS via Navigation Template Link Injection
Details
Summary
Mustache navigation templates interpolated configuration-controlled link values
directly into href attributes without URL scheme validation. An administrator
who could modify the navItems configuration could inject javascript: URIs,
enabling stored cross-site scripting (XSS) against other authenticated users
viewing the Emissary web interface.
Details
Vulnerable code — nav.mustache (line 10)
{{#navItems}}
<li class="nav-item">
<a class="nav-link" href="{{link}}">{{display}}</a>
</li>
{{/navItems}}
The {{link}} value was rendered without any scheme validation. Mustache's
default HTML escaping protects against injection of new HTML tags but does
not prevent javascript: URIs in href attributes, since javascript:
contains no characters that HTML-escaping would alter.
Attack vector
An administrator sets a navigation item's link to:
javascript:alert(document.cookie)
Any authenticated user who clicks the navigation link executes the script in their browser context.
Impact
- Session hijacking via cookie theft
- Actions performed on behalf of the victim user
- Requires administrative access to modify navigation configuration
- Requires user interaction (clicking the malicious link)
Mitigating factors
- Exploitation requires administrative access to modify the
navItemsconfiguration - User interaction (clicking the link) is required
- The Emissary web interface is typically accessed only by authenticated operators within a trusted network
Remediation
Fixed in PR #1293, merged into release 8.39.0.
Server-side link validation — NavAction.java
An allowlist regex was added that only permits http://, https://, or
site-relative (/) URLs:
private static final Pattern VALID_LINK = Pattern.compile("^(https?:/)?/.*");
private static boolean isValidLink(String link) {
if (!VALID_LINK.matcher(link).matches()) {
logger.warn("Skipping invalid navigation link '{}'", link);
return false;
}
return true;
}
Invalid links are logged and silently dropped from the rendered navigation.
Template hardening — nav.mustache
Added rel="noopener noreferrer" to all navigation link anchor tags as a
defense-in-depth measure:
<a class="nav-link" href="{{link}}" rel="noopener noreferrer">{{display}}</a>
Tests were added to verify that javascript: and ftp:// URIs are rejected
while http://, https://, and site-relative (/path) links are accepted.
Workarounds
If upgrading is not immediately possible, audit the navigation configuration
to ensure all navItems link values use only http://, https://, or
relative (/) URL schemes.
References
- PR #1293 — validate nav links
- Original report: GHSA-wjqm-p579-x3ww
Severity ?
4.8 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.38.0"
},
"package": {
"ecosystem": "Maven",
"name": "gov.nsa.emissary:emissary"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35571"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T20:17:14Z",
"nvd_published_at": "2026-04-07T16:16:29Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nMustache navigation templates interpolated configuration-controlled link values\ndirectly into `href` attributes without URL scheme validation. An administrator\nwho could modify the `navItems` configuration could inject `javascript:` URIs,\nenabling stored cross-site scripting (XSS) against other authenticated users\nviewing the Emissary web interface.\n\n## Details\n\n### Vulnerable code \u2014 `nav.mustache` (line 10)\n\n```html\n{{#navItems}}\n\u003cli class=\"nav-item\"\u003e\n \u003ca class=\"nav-link\" href=\"{{link}}\"\u003e{{display}}\u003c/a\u003e\n\u003c/li\u003e\n{{/navItems}}\n```\n\nThe `{{link}}` value was rendered without any scheme validation. Mustache\u0027s\ndefault HTML escaping protects against injection of new HTML tags but does\n**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`\ncontains no characters that HTML-escaping would alter.\n\n### Attack vector\n\nAn administrator sets a navigation item\u0027s link to:\n```\njavascript:alert(document.cookie)\n```\n\nAny authenticated user who clicks the navigation link executes the script in\ntheir browser context.\n\n### Impact\n\n- Session hijacking via cookie theft\n- Actions performed on behalf of the victim user\n- Requires administrative access to modify navigation configuration\n- Requires user interaction (clicking the malicious link)\n\n### Mitigating factors\n\n- Exploitation requires administrative access to modify the `navItems`\n configuration\n- User interaction (clicking the link) is required\n- The Emissary web interface is typically accessed only by authenticated\n operators within a trusted network\n\n## Remediation\n\nFixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),\nmerged into release 8.39.0.\n\n### Server-side link validation \u2014 `NavAction.java`\n\nAn allowlist regex was added that only permits `http://`, `https://`, or\nsite-relative (`/`) URLs:\n\n```java\nprivate static final Pattern VALID_LINK = Pattern.compile(\"^(https?:/)?/.*\");\n\nprivate static boolean isValidLink(String link) {\n if (!VALID_LINK.matcher(link).matches()) {\n logger.warn(\"Skipping invalid navigation link \u0027{}\u0027\", link);\n return false;\n }\n return true;\n}\n```\n\nInvalid links are logged and silently dropped from the rendered navigation.\n\n### Template hardening \u2014 `nav.mustache`\n\nAdded `rel=\"noopener noreferrer\"` to all navigation link anchor tags as a\ndefense-in-depth measure:\n\n```html\n\u003ca class=\"nav-link\" href=\"{{link}}\" rel=\"noopener noreferrer\"\u003e{{display}}\u003c/a\u003e\n```\n\nTests were added to verify that `javascript:` and `ftp://` URIs are rejected\nwhile `http://`, `https://`, and site-relative (`/path`) links are accepted.\n\n## Workarounds\n\nIf upgrading is not immediately possible, audit the navigation configuration\nto ensure all `navItems` link values use only `http://`, `https://`, or\nrelative (`/`) URL schemes.\n\n## References\n\n- [PR #1293 \u2014 validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)\n- Original report: GHSA-wjqm-p579-x3ww",
"id": "GHSA-cpm7-cfpx-3hvp",
"modified": "2026-04-07T20:17:14Z",
"published": "2026-04-07T20:17:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35571"
},
{
"type": "WEB",
"url": "https://github.com/NationalSecurityAgency/emissary/pull/1293"
},
{
"type": "WEB",
"url": "https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13"
},
{
"type": "PACKAGE",
"url": "https://github.com/NationalSecurityAgency/emissary"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Emissary has Stored XSS via Navigation Template Link Injection"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…