CVE-2026-35581

HIGH EPSS 42.6%

Published Apr 7, 20262mo ago · Modified Jun 17, 20261w ago

7.2 CVSS 3.1

High

Published Apr 7, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.

CVSS Details

Base Score

7.2

Exploitability

1.2

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

42.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

Vendor	Product	Version	Range
nsa	emissary	*	≤8.38.0

References 1

github.com https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.