2 matches found
CVE-2026-35582 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...
CVE-2026-35582
CVE-2026-35582: Emissary’s Executrix.getCommand() interpolates IN_FILE_ENDING and OUT_FILE_ENDING directly into a /bin/sh -c command string without escaping, enabling local OS command injection when a config place writes shell metacharacters. Connected docs provide concrete details: TempFileNames...