CVE-2026-35583

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0

Description Emissary is a P2P based data-driven workflow engine. Prior to version 8.39.0, the configuration API endpoint /api/configuration/{name} validated configuration names using a blacklist approach that checked for , /, .., and trailing .. This validation could be bypassed using URL-encoded variants, double-encoding, or Unicode normalization, potentially leading to path traversal and the ability to read configuration files outside the intended directory.

Recommendations Update to version 8.39.0 or later.