CVE-2026-35580: Emissary has GitHub Actions Shell Injection via Workflow Inputs
Three GitHub Actions workflow files contained 10 shell injection points where
user-controlled workflow_dispatch inputs were interpolated directly into shell
commands via ${{ }} expression syntax. An attacker with repository write access
could inject arbitrary shell commands, leading to repository poisoning and supply
chain compromise affecting all downstream users.
References
- github.com/NationalSecurityAgency/emissary
- github.com/NationalSecurityAgency/emissary/pull/1286
- github.com/NationalSecurityAgency/emissary/pull/1288
- github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-3g6g-gq4r-xjm9
- github.com/advisories/GHSA-3g6g-gq4r-xjm9
- nvd.nist.gov/vuln/detail/CVE-2026-35580
Code Behaviors & Features
Detect and mitigate CVE-2026-35580 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →