Nationalsecurityagency Emissary vulnerabilities
9 known vulnerabilities affecting nationalsecurityagency/emissary.
Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH4MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2021-32647P2CRITICALCVSS 9.1v= 6.4.02021-06-01
CVE-2021-32647 [CRITICAL] CWE-74 CVE-2021-32647: Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to
Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36) REST endpoin
nvd
CVE-2026-35580P3CRITICALCVSS 9.1fixed in 8.39.02026-04-07
CVE-2026-35580 [CRITICAL] CWE-77 CVE-2026-35580: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to rep
nvd
CVE-2026-35582P3HIGHCVSS 8.8fixed in 8.43.02026-04-18
CVE-2026-35582 [HIGH] CWE-78 CVE-2026-35582: Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getComm
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The IN_FILE_ENDING and OUT_FILE_ENDING configuration keys flow directly into these p
nvd
CVE-2021-32639P3CRITICALCVSS 9.9≤ 6.4.02021-07-02
CVE-2021-32639 [CRITICAL] CWE-918 CVE-2021-32639: Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server
Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround
nvd
CVE-2026-35581P3HIGHCVSS 7.2fixed in 8.39.02026-04-07
CVE-2026-35581 [HIGH] CWE-78 CVE-2026-35581: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class co
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass throu
nvd
CVE-2021-32634P3HIGHCVSS 7.2fixed in 6.5.02021-05-21
CVE-2021-32634 [HIGH] CWE-502 CVE-2021-32634: Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerabl
Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClie
nvd
CVE-2025-27508P3HIGHCVSS 7.5fixed in 8.24.02025-03-05
CVE-2025-27508 [HIGH] CWE-327 CVE-2025-27508: Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for
Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These algorithms, while possibly valid for certain non-security-critical tasks,
nvd
CVE-2026-35583P3MEDIUMCVSS 5.3fixed in 8.39.02026-04-07
CVE-2026-35583 [MEDIUM] CWE-22 CVE-2026-35583: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path tr
nvd
CVE-2026-35571P4MEDIUMCVSS 4.8fixed in 8.39.02026-04-07
CVE-2026-35571 [MEDIUM] CWE-79 CVE-2026-35571: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting (XSS) against
nvd