Description
sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.
Published: 2026-03-24
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

SBT, the Scala build tool, was found to execute VCS commands using the Windows command interpreter. When a build definition includes a VCS URL, the fragment part of that URL (branch, tag, or revision information) is inserted directly into a cmd /c command string without validation. The command interpreter treats characters such as &, |, and ; as command separators, allowing a crafted fragment to inject arbitrary shell commands. This permits an attacker who can influence the build definition to execute any command with the permissions of the sbt process, potentially compromising the entire build environment. The weakness is a classic command injection flaw (CWE-78).

Affected Systems

The vulnerability affects SBT versions from 0.9.5 up to, but not including, 1.12.7 on Windows platforms. Any Windows installations running these older SBT versions and processing build files that reference source dependencies via VCS URLs are at risk.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity, while the EPSS score is reported as less than 1 %, suggesting a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Because sbt runs on the local machine during build time, the attack vector is local or user‑provided, with the attacker needing to supply a malicious build definition or a compromised source dependency URL. If an attacker can deliver such a build file, they could gain full control of the sbt process on a Windows machine.

Generated by OpenCVE AI on March 26, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sbt to version 1.12.7 or later, which removes the vulnerable cmd /c usage.

Generated by OpenCVE AI on March 26, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4ff-q6h8-v7gw sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
History

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Scala.epfl
Scala.epfl sbt
CPEs cpe:2.3:a:scala.epfl:sbt:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows
Scala.epfl
Scala.epfl sbt
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sbt
Sbt sbt
Vendors & Products Sbt
Sbt sbt

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.
Title sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Microsoft Windows
Sbt Sbt
Scala.epfl Sbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T13:21:23.354Z

Reserved: 2026-03-17T00:05:53.284Z

Link: CVE-2026-32948

cve-icon Vulnrichment

Updated: 2026-03-25T13:28:23.163Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:27.180

Modified: 2026-03-26T20:27:54.670

Link: CVE-2026-32948

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T18:48:30Z

Links: CVE-2026-32948 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:44Z

Weaknesses