VYPR

Emissary

by Nationalsecurityagency

Source repositories

CVEs (14)

  • CVE-2021-32096HigMay 7, 2021
    risk 0.57cvss 8.8epss 0.01

    The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.

  • CVE-2021-32094HigMay 7, 2021
    risk 0.57cvss 8.8epss 0.01

    U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.

  • CVE-2021-32095HigMay 7, 2021
    risk 0.53cvss 8.1epss 0.01

    U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.

  • CVE-2026-35580CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.01

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with…

  • CVE-2021-32647HigJun 1, 2021
    risk 0.52cvss 8.0epss 0.03

    Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java…

  • CVE-2026-35582HigApr 18, 2026
    risk 0.50cvss 8.8epss 0.01

    Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The…

  • CVE-2021-32639HigJul 2, 2021
    risk 0.47cvss 7.2epss 0.01

    Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to…

  • CVE-2025-27508HigMar 5, 2025
    risk 0.42cvss 7.5epss 0.00

    Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it includes or defaults to algorithms that are no longer recommended for secure cryptographic use cases (e.g., SHA-1, CRC32, and SSDEEP).…

  • CVE-2021-32093MedMay 7, 2021
    risk 0.42cvss 6.5epss 0.01

    The ConfigFileAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to read arbitrary files via the ConfigName parameter.

  • CVE-2026-35581HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.01

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with…

  • CVE-2021-32092MedMay 7, 2021
    risk 0.40cvss 6.1epss 0.01

    A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the uuid parameter.

  • CVE-2026-35583MedApr 7, 2026
    risk 0.27cvss 5.3epss 0.00

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using…

  • CVE-2026-35571MedApr 7, 2026
    risk 0.24cvss 4.8epss 0.00

    Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could…

  • CVE-2021-32634HigMay 21, 2021
    risk 0.00cvss 7.2epss 0.01

    Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a92…