CVE-2026-35582
- EPSS 0.05%
- Veröffentlicht 18.04.2026 01:16:27
- Zuletzt bearbeitet 20.04.2026 19:03:07
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping ...
CVE-2026-35583
- EPSS 0.04%
- Veröffentlicht 07.04.2026 15:57:41
- Zuletzt bearbeitet 16.04.2026 18:57:47
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentiall...
CVE-2026-35581
- EPSS 0.06%
- Veröffentlicht 07.04.2026 15:56:55
- Zuletzt bearbeitet 16.04.2026 18:00:24
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spa...
CVE-2026-35580
- EPSS 0.02%
- Veröffentlicht 07.04.2026 15:55:56
- Zuletzt bearbeitet 16.04.2026 17:59:02
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression s...
CVE-2026-35571
- EPSS 0.03%
- Veröffentlicht 07.04.2026 15:26:30
- Zuletzt bearbeitet 08.04.2026 21:27:00
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the n...
CVE-2025-27508
- EPSS 0.09%
- Veröffentlicht 05.03.2025 22:15:35
- Zuletzt bearbeitet 15.04.2026 00:35:42
Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SH...
CVE-2021-32639
- EPSS 0.78%
- Veröffentlicht 02.07.2021 16:15:08
- Zuletzt bearbeitet 21.11.2024 06:07:26
Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This...
CVE-2021-32647
- EPSS 3.43%
- Veröffentlicht 01.06.2021 14:15:10
- Zuletzt bearbeitet 21.11.2024 06:07:27
Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a92...
CVE-2021-32634
- EPSS 3.05%
- Veröffentlicht 21.05.2021 18:15:08
- Zuletzt bearbeitet 21.11.2024 06:07:25
Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary...
CVE-2021-32092
- EPSS 0.48%
- Veröffentlicht 07.05.2021 05:15:08
- Zuletzt bearbeitet 21.11.2024 06:06:49
A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the uuid parameter.