CVE-2026-32948

EUVD-2026-14990

24.03.2026, 20:16

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
scala.epfl	sbt	0.9.5 ≤ 𝑥 < 1.12.7

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e

https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800

https://github.com/sbt/sbt/releases/tag/v1.12.7

https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw