CVE-2026-35581
published 2026-04-07CVE-2026-35581: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating…
PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.56%
42.5th percentile
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nationalsecurityagency | emissary | < 8.39.0 | 8.39.0 |
| nsa | emissary | <= 8.38.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
ghsa·2026-04-08
CVE-2026-35581 [HIGH] CWE-78 Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
## Summary
The `Executrix` utility class constructed shell commands by concatenating
configuration-derived values — including the `PLACE_NAME` parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through
into `/bin/sh -c` command execution.
## Details
### Vulnerable code — `Executrix.java`
**Insufficient sanitization (line 132):**
```java
this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through
```
**Shell sink (line 1052–1058):**
```java
protected String[] getTimedCommand(final String c) {
return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd
OSV
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
osv·2026-04-08
CVE-2026-35581 [HIGH] Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
## Summary
The `Executrix` utility class constructed shell commands by concatenating
configuration-derived values — including the `PLACE_NAME` parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through
into `/bin/sh -c` command execution.
## Details
### Vulnerable code — `Executrix.java`
**Insufficient sanitization (line 132):**
```java
this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through
```
**Shell sink (line 1052–1058):**
```java
protected String[] getTimedCommand(final String c) {
return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd
No detection rules found.
No public exploits indexed.
2026-04-07
Published