High severity7.2NVD Advisory· Published Apr 7, 2026· Updated Apr 16, 2026
CVE-2026-35581
CVE-2026-35581
Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gov.nsa.emissary:emissaryMaven | < 8.39.0 | 8.39.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9vnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-6c37-7w4p-jg9vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35581ghsaADVISORY
- github.com/NationalSecurityAgency/emissary/pull/1290ghsaWEB
News mentions
1- Chinese APT Abuses Multiple Cloud Tools to Spy on MongoliaDark Reading · Apr 24, 2026