cbcvebase.
CVE-2026-35583
published 2026-04-07

CVE-2026-35583: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names…

PriorityP335medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.32%
23.8th percentile
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
nationalsecurityagencyemissary< 8.39.08.39.0
nsaemissary<= 8.38.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.