CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...

EUVD-2026-14990

sbt: Source dependency feature via crafted VCS URL leads to arbitrary code execution on Windows...

PT-2026-27306

sbt 1.12.7 is released, featuring a security fix for CVE-2026-32948, Source dependency feature via crafted VCS URL leading to arbitrary code execution on Windows...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details CVEID:CVE-2021-33587 DESCRIPTION: An unspecified error related to the failure to ensure that attribute parsing has Linear Time Complexity in Node.js css-what module has an unknown impact and attack...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details CVEID:CVE-2021-41190 DESCRIPTION: Open Container Initiative Distribution Specification could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when a Content-Type...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details CVEID:CVE-2021-23413 DESCRIPTION: jszip is vulnerable to a denial of service, caused by a prototype pollution flaw. By using a specially-crafted zip file with filenames set to Object prototype values, a...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details CVEID:CVE-2021-29060 DESCRIPTION: Node.js Color-String module is vulnerable to a denial of service, caused by an error when the application is provided and checks a crafted invalid HWB string. By sendin...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details CVEID:CVE-2021-43784 DESCRIPTION: Open Container Initiative runc could allow a remote authenticated attacker to bypass security restrictions, caused by an integer overflow in netlink bytemsg length fiel...

CVE-2020-5992

NVIDIA GeForce NOW application software on Windows, all versions prior to 2.0.25.119, contains a vulnerability in its open-source software dependency in which the OpenSSL library is vulnerable to binary planting attacks by a local user, which may lead to code execution or escalation of privileges...