Vulnerability Description
sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Scala.Epfl | Sbt | >= 0.9.5, < 1.12.7 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479ePatch
- https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800Patch
- https://github.com/sbt/sbt/releases/tag/v1.12.7ProductRelease Notes
- https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gwExploitVendor Advisory
FAQ
What is CVE-2026-32948?
CVE-2026-32948 is a vulnerability with a CVSS score of 7.8 (HIGH). sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branc...
How severe is CVE-2026-32948?
CVE-2026-32948 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32948?
Check the references section above for vendor advisories and patch information. Affected products include: Scala.Epfl Sbt, Microsoft Windows.