CVE-2026-35571
MEDIUM
NVD
CVSS Score
4.8
Severity
MEDIUM
Published
Apr 07, 2026
Vendor
unknown
Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against other authenticated users viewing the Emissary web interface. This vulnerability is fixed in 8.39.0.