CVE-2026-32948
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.scala-sbt:sbt | >=0.9.5,<1.12.8 | 1.12.8 |
References
- https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw
- https://nvd.nist.gov/vuln/detail/CVE-2026-32948
- https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e
- https://github.com/sbt/sbt/commit/3a474ab060df4dbfa825a7e7bc97e00056519800
- https://github.com/sbt/sbt
- https://github.com/sbt/sbt/releases/tag/v1.12.7
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.