22 matches found
CVE-2026-35582
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...
EUVD-2026-23628
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...
CVE-2026-35582 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...
CVE-2026-35582
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...
CVE-2026-35582 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...
CVE-2026-35582
CVE-2026-35582: Emissary’s Executrix.getCommand() interpolates IN_FILE_ENDING and OUT_FILE_ENDING directly into a /bin/sh -c command string without escaping, enabling local OS command injection when a config place writes shell metacharacters. Connected docs provide concrete details: TempFileNames...
Emissary 安全漏洞
Emissary is a distributed P2P data-driven workflow framework developed by the National Security Agency. Versions of Emissary 8.42.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the Executrix.getCommand function, which inserted temporary file paths into shell...
GHSA-3P24-9X7V-7789 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
Summary Executrix.getCommand constructs shell commands by substituting temporary file paths directly into a /bin/sh -c string with no escaping. The INFILEENDING and OUTFILEENDING configuration keys flow into those paths unmodified. A place author who sets either key to a shell metacharacter...
Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
Summary Executrix.getCommand constructs shell commands by substituting temporary file paths directly into a /bin/sh -c string with no escaping. The INFILEENDING and OUTFILEENDING configuration keys flow into those paths unmodified. A place author who sets either key to a shell metacharacter...
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the Executrix utility when configuration-derived values, such as PLACENAME, are concatenated into shell commands without sufficient sanitization. An attacker can achieve arbitrary command execution by supplying...
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Summary The Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters ;, |, $, , , , etc. to pass through into...
GHSA-6C37-7W4P-JG9V Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Summary The Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters ;, |, $, , , , etc. to pass through into...
EUVD-2026-19730
Emissary has a Command Injection via PLACENAME Configuration in Executrix...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the Executrix utility when configuration-derived values, such as PLACENAME, are concatenated into shell commands without sufficient sanitization. An attacker can achieve arbitrary command execution by supplying...
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...
CVE-2026-35581
Emissary’s Executrix utility creates shell commands by concatenating configuration-derived values (including PLACE_NAME) with insufficient sanitization prior to version 8.39.0. This allowed shell metacharacters to pass into /bin/sh -c command execution, enabling a Command Injection vulnerability....
CVE-2026-35581 Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...
CVE-2026-35581 Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...