gov.nsa.emissary:emissary (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package gov.nsa.emissary:emissary, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2026-35580 — CVSS 9.1 (critical): Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where…
CVE-2026-35582 — CVSS 8.8 (high): Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command…
CVE-2025-27508 — CVSS 7.5 (high): Emissary is a P2P based data-driven workflow engine. The ChecksumCalculator class within allows for hashing and checksum generation, but it…
CVE-2026-35581 — CVSS 7.2 (high): Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by…
CVE-2026-35583 — CVSS 5.3 (medium): Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated…
CVE-2026-35571 — CVSS 4.8 (medium): Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled…