2 matches found
CVE-2026-32948
CVE-2026-32948 affects sbt on Windows: when resolving VCS dependencies, sbt uses Process("cmd", "/c", ...), passing a user-controlled URI fragment (branch/tag/revision) without validation. Because cmd /c treats special characters (&, |, ;) as separators, a crafted fragment can inject and execute ...
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...