{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-24T18:48:30.620Z", "dateUpdated": "2026-03-26T13:21:23.354Z"}, "containers": {"cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}, {"name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"version": ">= 0.9.5, < 1.12.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}, "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T03:55:37.968982Z", "id": "CVE-2026-32948", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:21:23.354Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T03:55:37.968982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:28:23.163Z"}}], "cna": {"title": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows", "source": {"advisory": "GHSA-x4ff-q6h8-v7gw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sbt", "product": "sbt", "versions": [{"status": "affected", "version": ">= 0.9.5, < 1.12.7"}]}], "references": [{"url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "name": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "name": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "name": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "name": "https://github.com/sbt/sbt/releases/tag/v1.12.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:48:30.620Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32948", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:21:23.354Z", "dateReserved": "2026-03-17T00:05:53.284Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:48:30.620Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scala.epfl:sbt:*:*:*:*:*:*:*:*", "matchCriteriaId": "98332CC2-3012-483E-8C64-DF7E640E440A", "versionEndExcluding": "1.12.7", "versionStartIncluding": "0.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process(\"cmd\", \"/c\", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7."}, {"lang": "es", "value": "sbt es una herramienta de construcci\u00f3n para Scala, Java y otros. Desde la versi\u00f3n 0.9.5 hasta antes de la versi\u00f3n 1.12.7, en Windows, sbt utiliza Process(cmd, /c, ...) para ejecutar comandos VCS (git, hg, svn). El fragmento URI (rama, etiqueta, revisi\u00f3n) es controlado por el usuario a trav\u00e9s de la definici\u00f3n de construcci\u00f3n y se pasa a estos comandos sin validaci\u00f3n. Debido a que cmd /c interpreta &amp;, |, y ; como separadores de comandos, un fragmento malicioso puede ejecutar comandos arbitrarios. Este problema ha sido parcheado en la versi\u00f3n 1.12.7."}], "id": "CVE-2026-32948", "lastModified": "2026-03-26T20:27:54.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:27.180", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sbt/sbt/releases/tag/v1.12.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "org.scala-sbt/sbt: sbt: Arbitrary command execution via unvalidated URI fragments on Windows", "id": "2450890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450890"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in sbt, a build tool for Scala and Java. On Windows, sbt uses the `cmd /c` command interpreter to execute version control system (VCS) commands. A remote attacker can exploit this by providing a specially crafted URI fragment (such as a branch, tag, or revision name) in the build definition. Because `cmd /c` interprets special characters as command separators, this lack of validation allows the attacker to inject and execute arbitrary commands on the system where sbt is running."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32948", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "sbt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-03-24T18:48:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32948\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32948\nhttps://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e\nhttps://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800\nhttps://github.com/sbt/sbt/releases/tag/v1.12.7\nhttps://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.9.5,1.12.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "sbt", "source": "cna", "vendor": "sbt"}, "product": "sbt", "vendor": "sbt"}], "analysis": {"en": {"generated_at": "2026-03-26T21:33:08.824224+00:00", "value": {"mitigation_remediation": ["Upgrade sbt to version 1.12.7 or later, which removes the vulnerable cmd /c usage."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SBT versions from 0.9.5 up to, but not including, 1.12.7 on Windows platforms. Any Windows installations running these older SBT versions and processing build files that reference source dependencies via VCS URLs are at risk.", "description_and_impact": "SBT, the Scala build tool, was found to execute VCS commands using the Windows command interpreter. When a build definition includes a VCS URL, the fragment part of that URL (branch, tag, or revision information) is inserted directly into a cmd /c command string without validation. The command interpreter treats characters such as &, |, and ; as command separators, allowing a crafted fragment to inject arbitrary shell commands. This permits an attacker who can influence the build definition to execute any command with the permissions of the sbt process, potentially compromising the entire build environment. The weakness is a classic command injection flaw (CWE-78).", "risk_and_exploitability": "The CVSS score is 6.7, indicating moderate severity, while the EPSS score is reported as less than 1\u202f%, suggesting a low probability of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog. Because sbt runs on the local machine during build time, the attack vector is local or user\u2011provided, with the attacker needing to supply a malicious build definition or a compromised source dependency URL. If an attacker can deliver such a build file, they could gain full control of the sbt process on a Windows machine."}}}}, "created": "2026-03-25T11:46:28.580066+00:00", "updated": "2026-03-27T09:20:44.331164+00:00", "vendors": ["sbt", "sbt$PRODUCT$sbt"]}