"The vulnerability allows an attacker to inject commands disguised as a source dependency URL, which could pass code review due to unexpected behavior. This poses a risk of arbitrary command execution when building projects."
"The severity of the vulnerability is rated as moderate because it requires an attacker to actively build a project containing a malicious dependency URI, and the user must also build that project locally."
"The fix for the vulnerability follows established guidance from OWASP, Oracle's Secure Coding Guidelines, and the JEP 8263697 proposal for safer process launching, ensuring a more secure environment for users."
A command injection vulnerability was discovered in sbt's handling of source dependencies on Windows, assigned CVE-2026-32948 and rated Moderate. This vulnerability has existed since sbt 0.9.5 and affects both sbt 1.x and sbt 2.0 release candidates. Exploitation requires an attacker to create a malicious dependency URI and a user to build the project. The fix adheres to OWASP and Oracle's Secure Coding Guidelines, and users are advised to update to sbt 1.12.8 or sbt 2.0.0-RC10 or later to mitigate the risk.
Read at Scala-lang
Unable to calculate read time
Collection
[
|
...
]