CVE-2026-32948

Name of the Vulnerable Software and Affected Versions sbt versions prior to 1.12.7

Description On Windows, sbt utilizes Process("cmd", "/c", ...) to execute VCS commands. The URI fragment, controlled by the user through the build definition, is passed to these commands without validation. The cmd /c interpreter treats characters like &, |, and ; as command separators, allowing a malicious fragment to execute arbitrary commands. This occurs because the uri.getFragment() is passed to the run() function without sanitization, and run() then uses Process("cmd", "/c", ...) on Windows. A proof of concept demonstrates the execution of arbitrary commands by crafting a malicious dependency URI.

Recommendations Update to sbt version 1.12.7 or later.