CVE-2026-35571
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability: 1.7 / Impact: 2.7
Source: security-advisories@github.com (Secondary)
Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.
Affected (1)
References (2)
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitThird Party AdvisoryMitigation
Timeline
No history available yet.