SB2026040797 - Multiple vulnerabilities in emissary
Published: April 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-35571)
The vulnerability allows a remote user to perform cross-site scripting.
The vulnerability exists due to improper input validation in the nav.mustache navigation template when rendering configuration-controlled link values into href attributes. A remote privileged user can inject a javascript: URI into a navigation item link to perform cross-site scripting.
User interaction is required, as a victim must click the malicious navigation link in the web interface.
2) Command injection (CVE-ID: CVE-2026-35580)
The vulnerability allows a remote user to execute arbitrary code and compromise the software supply chain.
The vulnerability exists due to command injection in GitHub Actions workflow files when processing user-controlled workflow_dispatch inputs in run blocks. A remote privileged user can supply crafted workflow inputs to execute arbitrary code and compromise the software supply chain.
Exploitation occurs within the CI/CD runner and may allow access to the job's GITHUB_TOKEN permissions and secrets from the GitHub Actions environment.
3) Command injection (CVE-ID: CVE-2026-35581)
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the Executrix utility class when processing configuration-derived PLACE_NAME values in shell commands. A remote privileged user can supply a specially crafted PLACE_NAME value to execute arbitrary commands.
Exploitation requires control over configuration values, such as through administrative access or a compromised configuration source.
4) Path traversal (CVE-ID: CVE-2026-35583)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the configuration API endpoint /api/configuration/{name} when processing crafted configuration names. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue can be triggered by using URL-encoded variants, double-encoded sequences, or Unicode normalization to access configuration files outside the intended directory.
Remediation
Install update from vendor's website.
References
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm