Skip to main content

Emissary

11 CVEs product

Monthly

CVE-2026-35583 Maven MEDIUM PATCH GHSA This Month

{name} endpoint. The vulnerability stems from incomplete blacklist validation of configuration names that can be bypassed using URL-encoded variants, double-encoding, or Unicode normalization attacks. No public exploit code or active exploitation has been confirmed.

Path Traversal Emissary
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-35581 Maven HIGH PATCH GHSA This Week

Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrators to execute arbitrary shell commands through unsanitized PLACE_NAME parameter values. The Executrix utility class passes configuration-derived values directly to /bin/sh -c with only space-to-underscore sanitization, enabling shell metacharacters (semicolons, pipes, backticks) to trigger command execution. CVSS 7.2 (High) reflects network accessibility with low attack complexity, though exploitation requires high-privilege administrator credentials (PR:H). No public exploit code identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available in version 8.39.0 per GitHub security advisory.

Command Injection Emissary
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-35571 Maven MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascript: URIs into navigation item configuration, which are then rendered unsafely in href attributes viewed by other authenticated users. The vulnerability requires high-privilege administrative access to modify navItems configuration but affects all other users accessing the web interface, with confirmed fix available in version 8.39.0.

XSS Emissary
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2021-32639 CRITICAL POC Act Now

Emissary is a P2P-based, data-driven workflow engine. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Emissary
NVD GitHub
CVSS 3.1
9.9
EPSS
1.4%
CVE-2021-32647 CRITICAL POC PATCH Act Now

Emissary is a P2P based data-driven workflow engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Information Disclosure Java Emissary
NVD GitHub
CVSS 3.1
9.1
EPSS
2.9%
CVE-2021-32634 HIGH PATCH This Week

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java Emissary
NVD GitHub
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-32093 MEDIUM POC This Month

The ConfigFileAction component of U.S. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Emissary
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-32092 MEDIUM POC This Month

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Emissary
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-32096 HIGH POC This Week

The ConsoleAction component of U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Emissary
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2021-32095 HIGH This Week

U.S. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Emissary
NVD
CVSS 3.1
8.1
EPSS
0.9%
CVE-2021-32094 HIGH This Week

U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Emissary
NVD
CVSS 3.1
8.8
EPSS
1.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{name} endpoint. The vulnerability stems from incomplete blacklist validation of configuration names that can be bypassed using URL-encoded variants, double-encoding, or Unicode normalization attacks. No public exploit code or active exploitation has been confirmed.

Path Traversal Emissary
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrators to execute arbitrary shell commands through unsanitized PLACE_NAME parameter values. The Executrix utility class passes configuration-derived values directly to /bin/sh -c with only space-to-underscore sanitization, enabling shell metacharacters (semicolons, pipes, backticks) to trigger command execution. CVSS 7.2 (High) reflects network accessibility with low attack complexity, though exploitation requires high-privilege administrator credentials (PR:H). No public exploit code identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available in version 8.39.0 per GitHub security advisory.

Command Injection Emissary
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascript: URIs into navigation item configuration, which are then rendered unsafely in href attributes viewed by other authenticated users. The vulnerability requires high-privilege administrative access to modify navItems configuration but affects all other users accessing the web interface, with confirmed fix available in version 8.39.0.

XSS Emissary
NVD GitHub VulDB
EPSS 1% CVSS 9.9
CRITICAL POC Act Now

Emissary is a P2P-based, data-driven workflow engine. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Emissary
NVD GitHub
EPSS 3% CVSS 9.1
CRITICAL POC PATCH Act Now

Emissary is a P2P based data-driven workflow engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Information Disclosure Java +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Java +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The ConfigFileAction component of U.S. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Emissary
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Emissary
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The ConsoleAction component of U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Emissary
NVD
EPSS 1% CVSS 8.1
HIGH This Week

U.S. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Emissary
NVD
EPSS 1% CVSS 8.8
HIGH This Week

U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Emissary
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy