Vulnerabilities ›

CVE-2026-32948

High ⚡ Exploit Available

CWE-78 — Weakness Type

                    Published: Mar 24, 2026                      ·  Modified: Mar 30, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious fragment can execute arbitrary commands. This issue has been patched in version 1.12.7.

🤖 AI Executive Summary

sbt (Scala Build Tool) versions 0.9.5 through 1.12.6 on Windows are vulnerable to command injection through unvalidated VCS URI fragments. Attackers can execute arbitrary commands by crafting malicious git/hg/svn branch, tag, or revision parameters in build definitions. This affects development environments and CI/CD pipelines using sbt on Windows systems. Patch to version 1.12.7 or later is critical.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 28, 2026 16:16

🇸🇦 Saudi Arabia Impact Assessment

Saudi financial technology companies, government development agencies, and enterprises using Scala/Java development stacks are at risk. Primary impact on: (1) ARAMCO and energy sector IT teams using sbt for internal tools, (2) Banking sector fintech divisions (ALRAJHI, RIYAD, etc.) developing Scala-based systems, (3) Government digital transformation initiatives under NCA oversight, (4) Telecom providers (STC, MOBILY) with development operations. Risk is elevated in organizations with Windows-based development infrastructure and automated CI/CD pipelines. Supply chain risk exists for software vendors delivering sbt-built applications to Saudi entities.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Sector Energy and Utilities Telecommunications Software Development and IT Services Healthcare IT Systems Defense and Security

🎯 MITRE ATT&CK Techniques

T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1190 - Exploit Public-Facing Application T1195.001 - Supply Chain Compromise: Compromise Software Dependencies T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys T1036.005 - Masquerading: Match Legitimate Name or Location

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Windows systems running sbt versions 0.9.5-1.12.6 across development, CI/CD, and build environments

2. Audit build.sbt and build.scala files for user-controlled VCS URI fragments (git/hg/svn references)

3. Restrict build definition modifications to trusted developers only



PATCHING:

1. Upgrade sbt to version 1.12.7 or later immediately on all affected systems

2. Update sbt launcher scripts and wrapper configurations

3. Verify patch installation: sbt --version should show 1.12.7+

4. Test builds post-upgrade to ensure compatibility



COMPENSATING CONTROLS (if immediate patching delayed):

1. Disable VCS integration in sbt builds where possible

2. Use explicit, hardcoded branch/tag references instead of dynamic fragments

3. Implement input validation: sanitize branch/tag names to alphanumeric + hyphens/underscores only

4. Run sbt builds in isolated containers/VMs with minimal privileges

5. Restrict Windows command execution permissions on build servers



DETECTION:

1. Monitor sbt build logs for unusual cmd.exe invocations with special characters (&, |, ;)

2. Alert on build.sbt modifications containing dynamic VCS fragments

3. Implement file integrity monitoring on build definition files

4. Log all sbt process executions with command-line arguments

5. Search for patterns: Process("cmd", "/c") with unsanitized variables in codebase

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أنظمة Windows التي تقوم بتشغيل إصدارات sbt من 0.9.5-1.12.6 عبر بيئات التطوير و CI/CD والبناء

2. تدقيق ملفات build.sbt و build.scala للبحث عن معاملات VCS التي يتحكم بها المستخدم

3. تقييد تعديلات تعريف البناء للمطورين الموثوقين فقط

التصحيح:

1. ترقية sbt إلى الإصدار 1.12.7 أو أحدث فوراً على جميع الأنظمة المتأثرة

2. تحديث نصوص مشغل sbt وتكوينات المجمع

3. التحقق من تثبيت التصحيح: sbt --version يجب أن يظهر 1.12.7+

4. اختبار البناء بعد الترقية لضمان التوافق

الضوابط البديلة (إذا تأخر التصحيح الفوري):

1. تعطيل تكامل VCS في بناء sbt حيث أمكن

2. استخدام مراجع فرع/علامة صريحة ومشفرة بدلاً من الأجزاء الديناميكية

3. تنفيذ التحقق من الإدخال: تنظيف أسماء الفروع/العلامات إلى أحرف وأرقام فقط

4. تشغيل بناء sbt في حاويات/أجهزة افتراضية معزولة بامتيازات محدودة

5. تقييد أذونات تنفيذ أوامر Windows على خوادم البناء

الكشف:

1. مراقبة سجلات بناء sbt للبحث عن استدعاءات cmd.exe غير العادية بأحرف خاصة

2. التنبيه على تعديلات build.sbt التي تحتوي على أجزاء VCS ديناميكية

3. تنفيذ مراقبة سلامة الملفات على ملفات تعريف البناء

4. تسجيل جميع عمليات sbt مع معاملات سطر الأوامر

5. البحث عن الأنماط: Process("cmd", "/c") مع متغيرات غير منظفة في قاعدة الأكواد

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Secure development and change management ECC 2024 A.14.2.5 - Access control to source code and build systems ECC 2024 A.12.6.1 - Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.BE-3.2 - Supply chain risk management SAMA CSF PR.DS-6 - Secure development practices SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activity

🟡 ISO 27001:2022

ISO 27001:2022 A.8.1 - Asset management and inventory ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.14.2.5 - Secure development environment ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.3.2 - Code review and testing PCI DSS 11.3 - Vulnerability scanning and assessment

🔗 References & Sources 4

🔗

https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e

security-advisories@github.com

Patch

🔗

https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800

security-advisories@github.com

Patch

🔗

https://github.com/sbt/sbt/releases/tag/v1.12.7

security-advisories@github.com

Product Release Notes

🔗

https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw

security-advisories@github.com

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

scala.epfl:sbt

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-78

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-03-24

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available patch-available CWE-78

🏢 Vendor Advisories

🔗 https://github.com/sbt/sbt/security/advisories/GHSA-...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-32948

💬 Comments

Introduce Yourself

Sign In Required