Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Providing a processed _service file generally needs submit access, so PR:L; injection escapes the service context (S:C) yielding full C/I/A code execution; hg handler input keeps AC:L.
Primary rating from Vendor (suse).
CVSS VectorVendor: suse
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services
AnalysisAI
OS command injection in the mercurial (hg) handler of openSUSE's obs-service-tar_scm source service before 0.12.4 lets an attacker who can supply a _service file inject options and shell metacharacters through the 'revision' field, achieving arbitrary code execution as the source service or as a local user checking out the service. The CVSS 3.1 base score is 10.0 (scope-changed, network vector), reflecting that malicious input is processed by the build service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Identify all systems running obs-service-tar_scm and assess exposure through build pipeline documentation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41404
GHSA-f3xh-pcqp-fpcm