EUVD-2026-19730
GHSA-6c37-7w4p-jg9v
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values - including the PLACE_NAME parameter - with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Analysis
Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrators to execute arbitrary shell commands through unsanitized PLACE_NAME parameter values. The Executrix utility class passes configuration-derived values directly to /bin/sh -c with only space-to-underscore sanitization, enabling shell metacharacters (semicolons, pipes, backticks) to trigger command execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running NSA Emissary P2P versions prior to 8.39.0 using asset inventory or network scanning. Within 7 days: Upgrade to version 8.39.0 or later on all identified systems; coordinate downtime windows with business owners. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today