CVE-2026-56004

Source
https://cve.org/CVERecord?id=CVE-2026-56004
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56004.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56004
Downstream
Related
Published
2026-07-02T14:54:02.119Z
Modified
2026-07-08T08:14:12.319371626Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
obs-service-tar_scm: command injection via mercurial handler
Details

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56004.json",
    "cna_assigner": "suse",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/opensuse/obs-service-tar_scm

Affected ranges

Type
GIT
Repo
https://github.com/opensuse/obs-service-tar_scm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.4"
        }
    ]
}

Affected versions

0.*
0.10.10
0.10.11
0.10.12
0.10.13
0.10.14
0.10.15
0.10.16
0.10.17
0.10.18
0.10.19
0.10.20
0.10.21
0.10.22
0.10.23
0.10.24
0.10.25
0.10.26
0.10.27
0.10.28
0.10.29
0.10.30
0.10.31
0.10.32
0.10.33
0.10.34
0.10.35
0.10.36
0.10.37
0.10.38
0.10.39
0.10.40
0.10.41
0.10.42
0.10.43
0.10.44
0.10.45
0.10.46
0.10.47
0.10.48
0.10.49
0.10.50
0.10.51
0.10.52
0.10.53
0.11.0
0.11.1
0.12.0
0.12.1
0.12.2
0.12.3
Other
before-python-rewrite
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.10.8
v0.10.9
v0.2.3
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56004.json"