{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-24T18:48:30.620Z", "dateUpdated": "2026-03-26T13:21:23.354Z"}, "containers": {"cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}, {"name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"version": ">= 0.9.5, < 1.12.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T03:55:37.968982Z", "id": "CVE-2026-32948", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:21:23.354Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-24T18:48:30.620Z", "dateUpdated": "2026-03-26T13:21:23.354Z"}, "containers": {"cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}, {"name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"version": ">= 0.9.5, < 1.12.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T03:55:37.968982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:28:23.163Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scala.epfl:sbt:*:*:*:*:*:*:*:*", "matchCriteriaId": "98332CC2-3012-483E-8C64-DF7E640E440A", "versionEndExcluding": "1.12.7", "versionStartIncluding": "0.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}, {"lang": "es", "value": "sbt es una herramienta de construcci\u00f3n para Scala, Java y otros. Desde la versi\u00f3n 0.9.5 hasta antes de la versi\u00f3n 1.12.7, en Windows, sbt utiliza Process(cmd, /c, ...) para ejecutar comandos VCS (git, hg, svn). El fragmento URI (rama, etiqueta, revisi\u00f3n) es controlado por el usuario a trav\u00e9s de la definici\u00f3n de construcci\u00f3n y se pasa a estos comandos sin validaci\u00f3n. Debido a que cmd /c interpreta &amp;, |, y ; como separadores de comandos, un fragmento malicioso puede ejecutar comandos arbitrarios. Este problema ha sido parcheado en la versi\u00f3n 1.12.7."}], "id": "CVE-2026-32948", "lastModified": "2026-03-26T20:27:54.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:27.180", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "org.scala-sbt/sbt: sbt: Arbitrary command execution via unvalidated URI fragments on Windows", "id": "2450890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450890"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in sbt, a build tool for Scala and Java. On Windows, sbt uses the `cmd /c` command interpreter to execute version control system (VCS) commands. A remote attacker can exploit this by providing a specially crafted URI fragment (such as a branch, tag, or revision name) in the build definition. Because `cmd /c` interprets special characters as command separators, this lack of validation allows the attacker to inject and execute arbitrary commands on the system where sbt is running."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32948", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-03-24T18:48:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32948\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32948\nhttps://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e\nhttps://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800\nhttps://github.com/sbt/sbt/releases/tag/v1.12.7\nhttps://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.9.5,1.12.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "sbt", "source": "cna", "vendor": "sbt"}, "product": "sbt", "vendor": "sbt"}], "analysis": {"en": {"generated_at": "2026-03-24T20:24:27.127370+00:00", "value": {"mitigation_remediation": ["Upgrade sbt to version 1.12.7 or later", "Verify that all sbt build definitions do not contain untrusted VCS URL fragments", "Apply the official patch immediately if the update is not yet applied"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Windows command injection"}, "threat_synthesis": {"affected_systems": "Software versioning and build tool sbt is affected on the Windows platform for all releases from version 0.9.5 up to, but not including, 1.12.7. The issue was addressed in sbt release version 1.12.7, which implements proper validation of VCS URL fragments.", "description_and_impact": "The vulnerability arises in the Scala build tool sbt, where the tool invokes Windows command shell to run version control commands. A user-controlled portion of a VCS URL\u2014specifically the fragment that indicates branch, tag, or revision\u2014is passed directly to the shell without validation. Because cmd /c interprets the characters &, |, and ; as command separators, a crafted fragment can inject arbitrary shell commands. The result is that an attacker who supplies a malicious build definition can execute arbitrary code on the machine running sbt, compromising confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The severity is reflected in a CVSS score of 6.7. No EPSS score is currently available, and the vulnerability has not been listed in the CISA KEV catalog. Exploitation requires the attacker to provide a malicious sbt build definition that is subsequently processed by the tool on a Windows host. If this condition is met, arbitrary command execution is possible with the privileges of the sbt process. Given the lack of an exploit probability score, the risk remains contingent on the presence of uncontrolled build files within an organization's build environment."}}}}, "created": "2026-03-25T11:46:28.580066+00:00", "updated": "2026-03-25T20:57:54.274448+00:00", "vendors": ["sbt", "sbt$PRODUCT$sbt"]}