OS Command Injection

sbt is vulnerable to OS Command Injection. The vulnerability is due to the lack of validation of the URI fragment, where a malicious fragment can execute arbitrary commands because cmd /c interprets &, |, and ; as command separators...

CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

africa.shuwari.sbt:sbt-js_2.12_1.0 (=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +342 more potentially affected by CVE-2026-32948 via org.scala-sbt:sbt (>=1.0.0-M1 <=1.12.7)

org.scala-sbt:sbt MAVEN version =1.0.0-M1, =0.1.0, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.14.1, =0.12.1, =0.0.1, =0.0.5 - br.com.mobilemind:livereload2.121.0 =0.2.10 - build.bleep:sbt-export-dependencies2.121.0 =0.4.0 and more Source cves: CVE-2026-32948 Source advisory:...

sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...

africa.shuwari.sbt:sbt-js_2.12_1.0 (=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +341 more potentially affected by CVE-2026-32948 via org.scala-sbt:main_2.12 (>=1.0.0-M5 <=1.12.6)

org.scala-sbt:main2.12 MAVEN version =1.0.0-M5, =0.1.0, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.14.1, =0.12.1, =0.0.1, =0.0.5 - br.com.mobilemind:livereload2.121.0 =0.2.10 - build.bleep:sbt-export-dependencies2.121.0 =0.4.0 and more Source cves: CVE-2026-32948 Source advisory:...

GHSA-X4FF-Q6H8-V7GW sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...

EUVD-2026-14990

sbt: Source dependency feature via crafted VCS URL leads to arbitrary code execution on Windows...

Command Injection

Overview org.scala-sbt:main2.11 is a sbt is an interactive build tool Affected versions of this package are vulnerable to Command Injection in the Process"cmd", "/c", ... used to execute VCS commands on Windows when handling user-controlled URI fragments. An attacker can execute arbitrary Windows...

org.scala-sbt:sbt (>=0.99.2 <=1.0.0-M4), org.scala-sbt:scripted-plugin_2.10 (>=0.99.2 <=1.0.0-M4) +1 more potentially affected by CVE-2026-32948 via org.scala-sbt:main_2.11 (>=0.99.2 <=1.0.0-M4)

org.scala-sbt:main2.11 MAVEN version =0.99.2, =0.99.2, =0.99.2, =0.99.2, =1.0.0-M4 Source cves: CVE-2026-32948 Source advisory: SNYK:JAVA-ORGSCALASBT-15763414...

com.expediagroup.apiary:apiary-ranger-metastore-plugin (>=7.2.1 <=8.1.15), com.witboost.provisioning:scala-mesh-ranger_2.13 (=1.0.0) +67 more potentially affected by CVE-2025-59059 via org.apache.ranger:ranger-plugins-common (>=0.6.0 <=2.7.0)

org.apache.ranger:ranger-plugins-common MAVEN version =0.6.0, =7.2.1, =0.8.44-4, =0.18.0, =466, =0.6.0-incubating, =0.8.0-incubating, =1.6.0-incubating, =1.6.0-incubating, =0.3.0, =0.3.0, =1.1.0, =1.1.0, =2.0.0, =1.3.0, =2.0.0 and more Source cves: CVE-2025-59059 Source advisory:...

africa.absa:inception-application (>=1.0.0 <=1.2.0), app.fmgp:scala-did-docs_3 (>=0.1.0-M16 <=0.1.0-M33) +3477 more potentially affected by CVE-2025-12543 via io.undertow:undertow-core (>=1.0.0.Alpha1 <=2.2.38.Final)

io.undertow:undertow-core MAVEN version =1.0.0.Alpha1, =1.0.0, =0.1.0-M16, =1.0.0, =0.4.0, =2.0.0, =1.0.2, =1.0.0, =1.2.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2025-12543 Source advisory: OSV:GHSA-J382-5JJ3-VW4J...

africa.absa:inception-application (>=1.0.0 <=1.2.0), app.fmgp:scala-did-docs_3 (>=0.1.0-M16 <=0.1.0-M33) +3477 more potentially affected by CVE-2024-3884 via io.undertow:undertow-core (>=1.0.0.Alpha1 <=2.2.38.Final)

io.undertow:undertow-core MAVEN version =1.0.0.Alpha1, =1.0.0, =0.1.0-M16, =1.0.0, =0.4.0, =2.0.0, =1.0.2, =1.0.0, =1.2.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2024-3884 Source advisory: OSV:GHSA-6H4F-PJ3G-Q8FQ...

EUVD-2018-0669

Malware in sbrugna...

EUVD-2014-1175

Malware in sbrugna...

EUVD-2021-1049

Malware in sbrugna...

EUVD-2019-0212

Malware in sbrugna...

EUVD-2023-0335

Malicious code in bioql PyPI...

EUVD-2025-27048

Malicious code in bioql PyPI...

EUVD-2022-3429

Malicious code in bioql PyPI...

dev.hnaderi:scala-k8s-http4s-ember_sjs1_2.12 (>=0.11.0 <=0.25.0), dev.hnaderi:scala-k8s-http4s_sjs1_2.12 (>=0.4.0 <=0.10.0) +6 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_sjs1_2.12 (>=0.23.10 <=0.23.30)

org.http4s:http4s-ember-coresjs12.12 MAVEN version =0.23.10, =0.11.0, =0.4.0, =0.0.10, =0.0.10, =0.23.10, =0.23.10, =0.0.1, =0.0.9 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019567...