Skip to main content

Windows CVE-2026-32948

| EUVDEUVD-2026-14990 MEDIUM
OS Command Injection (CWE-78)
2026-03-24 https://github.com/sbt/sbt GHSA-x4ff-q6h8-v7gw
6.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.7 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 16:15 euvd
EUVD-2026-14990
Analysis Generated
Mar 24, 2026 - 16:15 vuln.today
Patch released
Mar 24, 2026 - 16:15 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:04 nvd
MEDIUM 6.7

DescriptionGitHub Advisory

Summary

On Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands.

Details

PoC

sh
# build.properties
# sbt.version=1.12.5
# Tested on those two versions of sbt
sbt.version=2.0.0-RC9
scala
// build.sbt

ThisBuild / scalaVersion := "2.12.19"

lazy val root = project
  .in(file("."))
  .dependsOn(vulnerable)

lazy val vulnerable = RootProject(
  uri("https://github.com/sbt/io.git#develop%26%26calc.exe")
)

Impact

Windows users are impacted. An attacker can execute arbitrary Windows commands if they control the dependency URI.

AnalysisAI

sbt on Windows is vulnerable to command injection through unvalidated URI fragments in VCS dependency declarations. When resolving git, mercurial, or subversion repositories, sbt passes user-controlled branch, tag, or revision parameters directly to cmd.exe without sanitization, allowing attackers to inject arbitrary Windows commands via special characters like &, |, and ; that cmd /c interprets as command separators. An attacker who controls a dependency URI in a project's build.sbt file can execute arbitrary commands with the privileges of the user running sbt. A proof-of-concept exists demonstrating execution of calc.exe, and patches are available from the vendor for sbt versions 1.12.7 and later.

Technical ContextAI

The vulnerability exists in sbt (Scala Build Tool), identified by CPE pkg:maven/org.scala-sbt:sbt, specifically in the Resolvers.scala module which handles dependency resolution from version control systems. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command, aka OS Command Injection). The vulnerable code path passes uri.getFragment() directly to a Process constructor that uses Process("cmd", "/c", ...) on Windows systems. The cmd.exe shell interprets several metacharacters—specifically ampersand (&), pipe (|), and semicolon (;)—as command separators and operators, enabling command chaining. Unlike Unix shells where argument quoting provides some protection, cmd /c does not properly isolate the URI fragment parameter from the shell metacharacter interpretation layer. This affects sbt versions prior to 1.12.7 and 2.0.0-RC9 and later, as confirmed in testing by the reporter.

RemediationAI

Immediately upgrade sbt to version 1.12.7 or later for the 1.x branch, or to 2.0.0-RC9 or later for the 2.x branch. Apply the patches referenced in commits 1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e and 3a474ab060df4dbfa825a7e7bc97e00056519800 if building from source. As an interim workaround for organizations unable to immediately patch, audit all build.sbt files and build.properties configurations to ensure dependency URIs come only from trusted internal repositories and do not contain user-controllable fragment identifiers. Restrict developer machines to execute sbt only within sandboxed environments or CI/CD systems where command execution can be monitored and logged. Additionally, configure development machines to reject or warn on build definitions that reference external VCS repositories with fragments or complex URIs. Consult the vendor advisory at https://github.com/sbt/sbt/releases/tag/v1.12.7 for detailed upgrade instructions.

CVE-2021-40444 HIGH POC
8.8 Sep 15

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX

CVE-2021-1732 HIGH POC
7.8 Feb 25

Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by

CVE-2018-8174 HIGH POC
7.5 May 09

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co

CVE-2019-0803 HIGH POC
7.8 Apr 09

Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in

CVE-2020-1472 MEDIUM POC
5.5 Aug 17

A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr

CVE-2024-30088 HIGH POC
7.0 Jun 11

Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-13315 CRITICAL POC
9.3 Nov 19

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b

CVE-2013-10047 CRITICAL POC
9.3 Aug 01

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote

CVE-2012-10030 CRITICAL POC
9.3 Aug 05

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit

CVE-2025-34101 CRITICAL POC
9.3 Jul 10

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio

Vendor StatusVendor

Share

CVE-2026-32948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy