CVE-2026-35580
Emissary has GitHub Actions Shell Injection via Workflow Inputs
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to repository poisoning and supply chain compromise affecting all downstream users. This vulnerability is fixed in 8.39.0.
| CWE | CWE-77 |
| Vendor | nationalsecurityagency |
| Product | emissary |
| Published | Apr 7, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for nationalsecurityagency emissary
Be the first to know when new critical vulnerabilities affecting nationalsecurityagency emissary are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
NationalSecurityAgency / emissary
< 8.39.0