CVE-2026-35582 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 18, 2026
Emissary - Command Injection
Overview
Emissary <= 8.42.0 contains a command injection caused by unsanitized interpolation of temporary file paths in /bin/sh -c commands in Executrix.getCommand(), letting place authors execute OS commands, exploit requires place configuration authorship.
Severity & Score
Impact
Place authors can execute arbitrary OS commands in the JVM process, potentially compromising the system.
Mitigation
Upgrade to version 8.43.0 or later.
References
Social Media Activity(2 posts)
š CVE-2026-35582 - High (8.8) Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escapi... š https://www.thehackerwire.com/vulnerability/CVE-2026-35582/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-35582 - High (8.8) Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escapi... š https://www.thehackerwire.com/vulnerability/CVE-2026-35582/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-35582
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H