CVE-2026-35580

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0

Description Emissary is a P2P based data-driven workflow engine. Prior to version 8.39.0, GitHub Actions workflow files contained shell injection points. User-controlled workflow dispatch inputs were interpolated directly into shell commands via the ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, potentially leading to repository poisoning and supply chain compromise affecting downstream users.

Recommendations Update to version 8.39.0 or higher.