CVE Tools
Sign in

CVE-2026-35582

Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix

Published: Apr 18, 2026Updated: Apr 24, 2026 Sources: CVE List NVDCWE-78
NVD MITRE
8.8CVSSHIGH
EPSS Score
0.9%
Top 46.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The IN_FILE_ENDING and OUT_FILE_ENDING configuration keys flow directly into these paths, allowing a place author who can write or modify a .cfg file to inject arbitrary shell metacharacters that execute OS commands in the JVM process's security context. The framework already sanitizes placeName via an allowlist before embedding it in the same shell string, but applies no equivalent sanitization to file ending values. No runtime privileges beyond place configuration authorship, and no API or network access, are required to exploit this vulnerability. This is a framework-level defect with no safe mitigation available to downstream implementors, as Executrix provides neither escaping nor documented preconditions against metacharacters in file ending inputs. This issue has been fixed in version 8.43.0.

CVSS Vector Breakdown

AV:LAC:LPR:LUI:NS:CC:HI:HA:H
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-78CWE-116

Affected Products

emissarynsa
Mixed
Security Products / vuln-mgmt-scanner
emissaryNationalSecurityAgency
On-prem
Security Products / vuln-mgmt-scanner
nsaUSSecurity Productsaka nsa (organization)
nationalsecurityagencyUSSecurity Productsaka nsa

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available
Workaround Available

MITRE ATT&CK

1 technique
Execution
View detailed technique mapping

References

https://github.com/NationalSecurityAgency/emissary/commit/1faf33f2494c0128f250d7d2e8f2da99bbd32ae8
github.com
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3p24-9x7v-7789
github.com

Timeline

Published
Apr 18, 2026
Last Updated
Apr 24, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-35582 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows