{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-24T18:48:30.620Z", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "containers": {"cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}, {"name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"version": ">= 0.9.5, < 1.12.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "id": "CVE-2026-32948", "lastModified": "2026-03-24T20:16:27.180", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:27.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"source": "security-advisories@github.com", "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"source": "security-advisories@github.com", "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "org.scala-sbt/sbt: sbt: Arbitrary command execution via unvalidated URI fragments on Windows", "id": "2450890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450890"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in sbt, a build tool for Scala and Java. On Windows, sbt uses the `cmd /c` command interpreter to execute version control system (VCS) commands. A remote attacker can exploit this by providing a specially crafted URI fragment (such as a branch, tag, or revision name) in the build definition. Because `cmd /c` interprets special characters as command separators, this lack of validation allows the attacker to inject and execute arbitrary commands on the system where sbt is running."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32948", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-03-24T18:48:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32948\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32948\nhttps://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e\nhttps://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800\nhttps://github.com/sbt/sbt/releases/tag/v1.12.7\nhttps://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"], "threat_severity": "Moderate"}

{}