Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-35580

9.1 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 2 weeks ago
@LeSuisse ignored package emissary 1 month, 2 weeks ago
@LeSuisse dismissed (not in Nixpkgs) 1 month, 2 weeks ago

Emissary has GitHub Actions Shell Injection via Workflow Inputs

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.

References

https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9 x_refsource_CONFIRM
https://github.com/NationalSecurityAgency/emissary/pull/1286 x_refsource_MISC
https://github.com/NationalSecurityAgency/emissary/pull/1288 x_refsource_MISC

Affected products

emissary

==< 8.39.0

Ignored packages (1)

pkgs.emissary

Rust implementation of the I2P protocol stack

nixos-unstable 0.3.1
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1

Suggestion detail

References

Affected products

pkgs.emissary