CVE-2026-32948
Published: 24 March 2026
Summary
CVE-2026-32948 is a high-severity OS Command Injection (CWE-78) vulnerability in Scala.Epfl Sbt. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation ensures patching sbt to version 1.12.7, which fixes the command injection vulnerability in VCS command execution.
Software usage restrictions via allowlisting approved sbt versions prevent execution of vulnerable instances prone to URI fragment-based command injection.
Vulnerability scanning identifies deployments of vulnerable sbt versions (0.9.5 to <1.12.7), enabling targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection into Windows cmd.exe via untrusted build definition URI enables direct use of Windows Command Shell (T1059.003); exploitation requires victim to run sbt against a malicious local file or dependency (T1204.002).
NVD Description
sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via…
more
the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.
Deeper analysisAI
CVE-2026-32948 is an OS command injection vulnerability (CWE-78) in sbt, an open-source build tool for Scala, Java, and other languages. It affects versions from 0.9.5 up to but excluding 1.12.7 on Windows systems. The flaw occurs when sbt executes version control system (VCS) commands for git, hg, or svn using the Process("cmd", "/c", ...) invocation. A user-controlled URI fragment—specifying a branch, tag, or revision—from the build definition is passed to these commands without validation. Windows cmd /c interprets characters such as &, |, and ; as command separators, allowing injection of arbitrary commands. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to control the build definition, such as through a malicious project dependency or repository. A victim with local access to the Windows system must then interact by running sbt to build the project, triggering the VCS command with the tainted URI fragment. No privileges are needed (PR:N), and the attack is low complexity (AC:L). Successful exploitation enables arbitrary command execution on the victim's machine, potentially leading to high-impact compromise of confidentiality, integrity, and availability.
The vulnerability was patched in sbt version 1.12.7. Security practitioners should upgrade affected installations immediately. Official mitigation details are available in the GitHub Security Advisory (GHSA-x4ff-q6h8-v7gw), the v1.12.7 release notes, and the patching commits 1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e and 3a474ab060df4dbfa825a7e7bc97e00056519800.
Details
- CWE(s)