Stored Cross-Site Scripting Exposure in Emissary by National Security Agency
CVE-2026-35571

4.8MEDIUM

Key Information:

Vendor: Nationalsecurityagency
Status: Emissary
Vendor: CVE Published:; 7 April 2026

🔔 Create Nationalsecurityagency Vulnerability Alert

What is CVE-2026-35571?

Emissary, a P2P data-driven workflow engine, contains a vulnerability that allows administrators to modify the navItems configuration and inject potentially malicious javascript: URIs. This can lead to stored XSS attacks against other authenticated users who view the Emissary web interface. The vulnerability arises from the improper handling of configuration-controlled link values in href attributes without validating the URL scheme. This issue has been addressed in version 8.39.0.

Affected Version(s)

emissary < 8.39.0

References

https://github.com/NationalSecurityAgency/emissary/securi...

x_refsource_CONFIRM

https://github.com/NationalSecurityAgency/emissary/pull/1293

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35571 Data

JSON