gov.nsa.emissary:emissary

Maven6 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting gov.nsa.emissary:emissarypage 1 of 1

CVE-2025-27508HIGHCVSS 7.5EG 7.5✓ Fixed in 8.24.0
2025-03-05
vulnerable: 8.0.0 ... 8.9.0 (23 versions)
Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use case…
CVE-2026-35571MEDIUMCVSS 4.8EG 4.8✓ Fixed in 8.39.0
2026-04-07
vulnerable: 8.0.0 ... 8.9.0 (42 versions)
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could m…
CVE-2026-35580CRITICALCVSS 9.1EG 9.1✓ Fixed in 8.39.0
2026-04-07
vulnerable: 8.0.0 ... 8.9.0 (42 versions)
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} e…
CVE-2026-35581HIGHCVSS 7.2EG 7.2✓ Fixed in 8.39.0
2026-04-07
vulnerable: 8.0.0 ... 8.9.0 (42 versions)
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitiz…
CVE-2026-35582HIGHCVSS 8.8EG 8.8✓ Fixed in 8.43.0
2026-04-18
vulnerable: 8.0.0 ... 8.9.0 (46 versions)
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without an…
CVE-2026-35583MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.39.0
2026-04-07
vulnerable: 8.0.0 ... 8.9.0 (42 versions)
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could…

Check whether gov.nsa.emissary:emissary is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for gov.nsa.emissary:emissary CVEs against the assets you own.

Start Free Scan →