CVE-2026-32948

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e	Patch
https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800	Patch
https://github.com/sbt/sbt/releases/tag/v1.12.7	Product Release Notes
https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:scala.epfl:sbt:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

26 Mar 2026, 20:27

Type	Values Removed	Values Added
References	~~() https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e -~~	() https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e - Patch
References	~~() https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800 -~~	() https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800 - Patch
References	~~() https://github.com/sbt/sbt/releases/tag/v1.12.7 -~~	() https://github.com/sbt/sbt/releases/tag/v1.12.7 - Product, Release Notes
References	~~() https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw -~~	() https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw - Exploit, Vendor Advisory
First Time		Microsoft Scala.epfl Scala.epfl sbt Microsoft windows
CPE		cpe:2.3:a:scala.epfl:sbt:::::::: cpe:2.3:o:microsoft:windows:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
Summary		(es) sbt es una herramienta de construcción para Scala, Java y otros. Desde la versión 0.9.5 hasta antes de la versión 1.12.7, en Windows, sbt utiliza Process(cmd, /c, ...) para ejecutar comandos VCS (git, hg, svn). El fragmento URI (rama, etiqueta, revisión) es controlado por el usuario a través de la definición de construcción y se pasa a estos comandos sin validación. Debido a que cmd /c interpreta &, \|, y ; como separadores de comandos, un fragmento malicioso puede ejecutar comandos arbitrarios. Este problema ha sido parcheado en la versión 1.12.7.

24 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 20:16

Updated : 2026-03-26 20:27

NVD link : CVE-2026-32948

Mitre link : CVE-2026-32948

CVE.ORG link : CVE-2026-32948

JSON object : View

Products Affected

scala.epfl

microsoft

windows

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.8 /10