CVE-2026-32948

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32948

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32948.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32948

Aliases

GHSA-x4ff-q6h8-v7gw

Published

2026-03-24T18:48:30.620Z

Modified

2026-04-10T05:43:09.611440Z

Severity

6.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

Details

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32948.json"
}

References

Affected packages

Git / github.com/sbt/sbt

Affected ranges

Type

GIT

Repo

https://github.com/sbt/sbt

Events

Introduced

081f296d55f17ea7f35303ebea9bacd271c8b900

Fixed

5391601ee998acf65b94c1f12df2086574842219

Database specific

{
    "versions": [
        {
            "introduced": "0.9.5"
        },
        {
            "fixed": "1.12.7"
        }
    ]
}

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0-RC0

v0.12.0-Beta

v0.12.0-M1

v0.12.0-M2

v0.13.0-Beta2

v0.13.0-M1

v0.13.0-M2

v0.13.5-M1

v0.13.5-M2

v0.13.6-M1

v0.13.6-M2

v0.13.7-M2

v0.13.7-M3

v0.13.8-M1

v0.13.8-M5

v0.13.8-M6

v0.13.8-RC1

v0.9.10

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9

v1.*

v1.0.0-M5

v1.0.0-M6

v1.0.0-RC1

v1.1.0-M1

v1.1.0-RC1

v1.10.0

v1.10.0-M1

v1.10.0-RC1

v1.10.10

v1.10.11

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v1.10.7

v1.10.8

v1.10.9

v1.11.0

v1.11.0-RC1

v1.11.0-RC2

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.11.7

v1.12.0

v1.12.0-M1

v1.12.0-M2

v1.12.0-RC1

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.12.5

v1.12.6

v1.2.0-M1

v1.2.0-RC1

v1.2.0-RC2

v1.2.0-RC3

v1.3.0-M1

v1.3.0-M3

v1.3.0-M4

v1.3.0-M5

v1.3.0-M5-94d5ec

v1.3.0-RC1

v1.3.0-RC2

v1.3.0-RC3

v1.3.0-RC4

v1.3.0-RC5

v1.4.0

v1.4.0-M1

v1.4.0-M2

v1.4.0-RC1

v1.4.0-RC2

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.0-M1

v1.5.0-M2

v1.5.0-RC1

v1.5.0-RC2

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.0-RC1

v1.6.0-RC2

v1.6.2

v1.7.0

v1.7.0-M1

v1.7.0-M2

v1.7.0-M3

v1.7.0-RC1

v1.7.0-RC2

v1.7.1

v1.8.0

v1.8.0-RC1

v1.9.0

v1.9.0-M1

v1.9.0-RC1

v1.9.0-RC2

v1.9.0-RC2-1

v1.9.0-RC3

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32948.json"