CVE-2026-35581

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0

Description Emissary is a P2P based data-driven workflow engine. Prior to version 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values, including the PLACE NAME parameter, with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters such as ;, |, $, `, (, ), etc., to pass through into /bin/sh -c command execution.

Recommendations Update to version 8.39.0 or later.