SB2026040797 - Multiple vulnerabilities in emissary
Published: April 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-35571)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform cross-site scripting.
The vulnerability exists due to improper input validation in the nav.mustache navigation template when rendering configuration-controlled link values into href attributes. A remote privileged user can inject a javascript: URI into a navigation item link to perform cross-site scripting.
User interaction is required, as a victim must click the malicious navigation link in the web interface.
2) Command injection (CVE-ID: CVE-2026-35580)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code and compromise the software supply chain.
The vulnerability exists due to command injection in GitHub Actions workflow files when processing user-controlled workflow_dispatch inputs in run blocks. A remote privileged user can supply crafted workflow inputs to execute arbitrary code and compromise the software supply chain.
Exploitation occurs within the CI/CD runner and may allow access to the job's GITHUB_TOKEN permissions and secrets from the GitHub Actions environment.
3) Command injection (CVE-ID: CVE-2026-35581)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in the Executrix utility class when processing configuration-derived PLACE_NAME values in shell commands. A remote privileged user can supply a specially crafted PLACE_NAME value to execute arbitrary commands.
Exploitation requires control over configuration values, such as through administrative access or a compromised configuration source.
4) Path traversal (CVE-ID: CVE-2026-35583)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the configuration API endpoint /api/configuration/{name} when processing crafted configuration names. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue can be triggered by using URL-encoded variants, double-encoded sequences, or Unicode normalization to access configuration files outside the intended directory.
Remediation
Install update from vendor's website.
References
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v
- https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm