Malicious Package

Overview @sbtgitverse/analytics-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious code in @sbt_gitverse/analytics-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2858d6765b337bc72b69faaa1a64e528931e8230756aa8a1d5ab4e58793357a The package @sbtgitverse/analytics-client was found to contain malicious code. Source: ghsa-malware...

CVE-2026-32948

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

Command Injection

Overview org.scala-sbt:main2.12 is a sbt is an interactive build tool Affected versions of this package are vulnerable to Command Injection in the Process"cmd", "/c", ... used to execute VCS commands on Windows when handling user-controlled URI fragments. An attacker can execute arbitrary Windows...

africa.shuwari.sbt:sbt-js_2.12_1.0 (=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +342 more potentially affected by CVE-2026-32948 via org.scala-sbt:sbt (>=1.0.0-M1 <=1.12.7)

org.scala-sbt:sbt MAVEN version =1.0.0-M1, =0.1.0, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.14.1, =0.12.1, =0.0.1, =0.0.5 - br.com.mobilemind:livereload2.121.0 =0.2.10 - build.bleep:sbt-export-dependencies2.121.0 =0.4.0 and more Source cves: CVE-2026-32948 Source advisory:...

africa.shuwari.sbt:sbt-js_2.12_1.0 (=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +341 more potentially affected by CVE-2026-32948 via org.scala-sbt:main_2.12 (>=1.0.0-M5 <=1.12.6)

org.scala-sbt:main2.12 MAVEN version =1.0.0-M5, =0.1.0, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.14.1, =0.12.1, =0.0.1, =0.0.5 - br.com.mobilemind:livereload2.121.0 =0.2.10 - build.bleep:sbt-export-dependencies2.121.0 =0.4.0 and more Source cves: CVE-2026-32948 Source advisory:...

PT-2026-27306

sbt 1.12.7 is released, featuring a security fix for CVE-2026-32948, Source dependency feature via crafted VCS URL leading to arbitrary code execution on Windows...

EUVD-2023-2746

Malicious code in bioql PyPI...

CVE-2023-46122

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorizedkeys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however...

Moderate: Red Hat Security Advisory: Red Hat AMQ Streams 2.5.2 release and security update

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

openSUSE: Security Advisory for maven, maven (SUSE-SU-2023:4527-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : maven, maven-resolver, sbt, xmvn (SUSE-SU-2023:4527-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:4527-1 advisory. - sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip...

SUSE: Security Advisory (SUSE-SU-2023:4527-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2023:4527-1 Security update for maven, maven-resolver, sbt, xmvn

This update for maven, maven-resolver, sbt, xmvn fixes the following issues: - CVE-2023-46122: Fixed an arbitrary file write when extracting a crafted zip file with sbt bsc1216529. - Upgraded maven to version 3.9.4 - Upgraded maven-resolver to version 1.9.15...

sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

Impact Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry: +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorizedkeys This would have a potential to overwrite /root/.ssh/authorizedkeys. Within sbt's ma...

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +544 more potentially affected by CVE-2023-46122 via org.scala-sbt:sbt (>=0.99.2 <=1.9.6)

org.scala-sbt:sbt MAVEN version =0.99.2, =0.14.1, =0.1.0, =0.9.6, =0.12.1, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =0.1.0, =0.0.1, =0.0.5 and more Source cves: CVE-2023-46122 Source advisory: OSV:GHSA-H9MW-GRGX-2FHF...

GHSA-H9MW-GRGX-2FHF sbt vulnerable to arbitrary file write via archive extraction (Zip Slip)

Impact Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry: +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorizedkeys This would have a potential to overwrite /root/.ssh/authorizedkeys. Within sbt's ma...

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +676 more potentially affected by CVE-2023-46122 via org.scala-sbt:io_2.12 (>=1.0.0 <=1.9.1)

org.scala-sbt:io2.12 MAVEN version =1.0.0, =0.14.1, =0.1.0, =0.9.6, =0.12.1, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =0.1.0, =0.0.1, =0.0.5 and more Source cves: CVE-2023-46122 Source advisory: OSV:GHSA-H9MW-GRGX-2FHF...

CVE-2023-46122

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorizedkeys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however...