CVE-2026-35571: Emissary has Stored XSS via Navigation Template Link Injection
Mustache navigation templates interpolated configuration-controlled link values
directly into href attributes without URL scheme validation. An administrator
who could modify the navItems configuration could inject javascript: URIs,
enabling stored cross-site scripting (XSS) against other authenticated users
viewing the Emissary web interface.
References
- github.com/NationalSecurityAgency/emissary
- github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13
- github.com/NationalSecurityAgency/emissary/pull/1293
- github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp
- github.com/advisories/GHSA-cpm7-cfpx-3hvp
- nvd.nist.gov/vuln/detail/CVE-2026-35571
Code Behaviors & Features
Detect and mitigate CVE-2026-35571 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →