CVE-2026-35582

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.42.0

Description A framework-level defect in the Executrix.getCommand() function allows for arbitrary OS command execution in the JVM security context. The issue occurs because the function constructs shell commands by substituting temporary file paths directly into a '/bin/sh -c' string without proper escaping or validation. Specifically, the configuration keys IN FILE ENDING and OUT FILE ENDING are concatenated into file paths and subsequently passed to the shell. An attacker with the ability to author place configurations can set these keys to include shell metacharacter sequences, which are then interpreted and executed by the shell when the place processes a payload.

Recommendations For versions prior to 8.42.0, update the software to a version where inFileEnding and outFileEnding are validated against an allowlist of alphanumeric characters, dots, underscores, and hyphens upon assignment. As a temporary workaround, restrict access to the configuration files and the configuration directory to prevent unauthorized modification of IN FILE ENDING and OUT FILE ENDING values.