{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/emissary/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-35581"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","command injection","emissary"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEmissary is a P2P-based data-driven workflow engine. Prior to version 8.39.0, a critical vulnerability, CVE-2026-35581, existed within the Executrix utility class. This class constructs shell commands by concatenating configuration-derived values, specifically the PLACE_NAME parameter, without proper sanitization. The inadequate sanitization process only replaced spaces with underscores, leaving shell metacharacters (;, |, $, `, (, ), etc.) vulnerable to injection. This flaw allows attackers to inject arbitrary commands into the /bin/sh -c command execution. Emissary version 8.39.0 addresses and resolves this command injection vulnerability. This vulnerability allows for privilege escalation to an attacker with high priviledges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with high privileges gains access to the Emissary configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the PLACE_NAME configuration parameter to include malicious shell metacharacters (e.g., \u003ccode\u003e; whoami \u0026gt; /tmp/output\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system uses the modified PLACE_NAME parameter to construct a shell command.\u003c/li\u003e\n\u003cli\u003eThe Executrix utility class executes the command via \u003ccode\u003e/bin/sh -c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters allow the attacker\u0026rsquo;s command (\u003ccode\u003ewhoami\u003c/code\u003e) to execute.\u003c/li\u003e\n\u003cli\u003eThe output of the command is written to \u003ccode\u003e/tmp/output\u003c/code\u003e, confirming arbitrary command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the initial foothold to escalate privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35581 allows a high-privilege attacker to achieve arbitrary command execution on the Emissary server. The CVSS v3.1 score of 7.2 indicates a high level of severity. Depending on the Emissary deployment, this could lead to data breaches, service disruption, or complete system compromise. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Emissary to version 8.39.0 or later to remediate CVE-2026-35581.\u003c/li\u003e\n\u003cli\u003eMonitor Emissary configuration files for unauthorized modifications to the PLACE_NAME parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all configuration parameters to prevent command injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PLACE_NAME Parameter Modification\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable command-line auditing to log all commands executed by the Emissary process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:33Z","date_published":"2026-04-07T17:16:33Z","id":"/briefs/2026-04-emissary-command-injection/","summary":"Emissary, a P2P data-driven workflow engine, is vulnerable to OS command injection due to insufficient sanitization of the PLACE_NAME parameter in versions prior to 8.39.0, allowing for arbitrary command execution.","title":"Emissary OS Command Injection Vulnerability (CVE-2026-35581)","url":"https://feed.craftedsignal.io/briefs/2026-04-emissary-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Emissary","version":"https://jsonfeed.org/version/1.1"}