VYPR

Maven package

gov.nsa.emissary/emissary

pkg:maven/gov.nsa.emissary/emissary

Vulnerabilities (6)

  • CVE-2026-35582HigApr 18, 2026
    affected < 8.43.0fixed 8.43.0

    Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The IN_FI

  • CVE-2026-35583MedApr 7, 2026
    affected < 8.39.0fixed 8.39.0

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encode

  • CVE-2026-35581HigApr 7, 2026
    affected < 8.39.0fixed 8.39.0

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with undersc

  • CVE-2026-35580CriApr 7, 2026
    affected < 8.39.0fixed 8.39.0

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with reposi

  • CVE-2026-35571MedApr 7, 2026
    affected < 8.39.0fixed 8.39.0

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could in

  • CVE-2025-27508HigMar 5, 2025
    affected < 8.24.0fixed 8.24.0

    Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP). These