{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-24T18:48:30.620Z", "dateUpdated": "2026-03-26T13:21:23.354Z"}, "containers": {"cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}, {"name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"version": ">= 0.9.5, < 1.12.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T03:55:37.968982Z", "id": "CVE-2026-32948", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:21:23.354Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-24T18:48:30.620Z", "dateUpdated": "2026-03-26T13:21:23.354Z"}, "containers": {"cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}, {"name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"version": ">= 0.9.5, < 1.12.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T03:55:37.968982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:28:23.163Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scala.epfl:sbt:*:*:*:*:*:*:*:*", "matchCriteriaId": "98332CC2-3012-483E-8C64-DF7E640E440A", "versionEndExcluding": "1.12.7", "versionStartIncluding": "0.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}, {"lang": "es", "value": "sbt es una herramienta de construcci\u00f3n para Scala, Java y otros. Desde la versi\u00f3n 0.9.5 hasta antes de la versi\u00f3n 1.12.7, en Windows, sbt utiliza Process(cmd, /c, ...) para ejecutar comandos VCS (git, hg, svn). El fragmento URI (rama, etiqueta, revisi\u00f3n) es controlado por el usuario a trav\u00e9s de la definici\u00f3n de construcci\u00f3n y se pasa a estos comandos sin validaci\u00f3n. Debido a que cmd /c interpreta &amp;, |, y ; como separadores de comandos, un fragmento malicioso puede ejecutar comandos arbitrarios. Este problema ha sido parcheado en la versi\u00f3n 1.12.7."}], "id": "CVE-2026-32948", "lastModified": "2026-03-26T20:27:54.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:27.180", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "org.scala-sbt/sbt: sbt: Arbitrary command execution via unvalidated URI fragments on Windows", "id": "2450890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450890"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in sbt, a build tool for Scala and Java. On Windows, sbt uses the `cmd /c` command interpreter to execute version control system (VCS) commands. A remote attacker can exploit this by providing a specially crafted URI fragment (such as a branch, tag, or revision name) in the build definition. Because `cmd /c` interprets special characters as command separators, this lack of validation allows the attacker to inject and execute arbitrary commands on the system where sbt is running."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32948", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-03-24T18:48:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32948\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32948\nhttps://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e\nhttps://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800\nhttps://github.com/sbt/sbt/releases/tag/v1.12.7\nhttps://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"], "threat_severity": "Moderate"}