Skip to main content

Buildservice

1 CVEs product

Monthly

CVE-2026-56004 CRITICAL PATCH Act Now

OS command injection in the mercurial (hg) handler of openSUSE's obs-service-tar_scm source service before 0.12.4 lets an attacker who can supply a _service file inject options and shell metacharacters through the 'revision' field, achieving arbitrary code execution as the source service or as a local user checking out the service. The CVSS 3.1 base score is 10.0 (scope-changed, network vector), reflecting that malicious input is processed by the build service. No public exploit has been identified at time of analysis, though the upstream fix (openSUSE/obs-service-tar_scm PR #552) publicly discloses the vulnerable code path.

Command Injection Buildservice
NVD GitHub
CVSS 3.1
10.0
EPSS
0.4%
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

OS command injection in the mercurial (hg) handler of openSUSE's obs-service-tar_scm source service before 0.12.4 lets an attacker who can supply a _service file inject options and shell metacharacters through the 'revision' field, achieving arbitrary code execution as the source service or as a local user checking out the service. The CVSS 3.1 base score is 10.0 (scope-changed, network vector), reflecting that malicious input is processed by the build service. No public exploit has been identified at time of analysis, though the upstream fix (openSUSE/obs-service-tar_scm PR #552) publicly discloses the vulnerable code path.

Command Injection Buildservice
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy