Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-56004

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

View on NVD

Analysis

Una vulnerabilidad crítica de inyección de comandos en el servicio tar_scm de Open Build Service (OBS) permite la ejecución remota de código al procesar repositorios Mercurial. Los atacantes pueden tomar control del sistema mediante archivos de configuración maliciosos durante el proceso de compilación o descarga de fuentes.

Relevant roles

LinuxCyberSecurityBackendCloud

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-78

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

Published: 7/2/2026, 3:17:06 PM
Last modified: 7/2/2026, 5:45:44 PM

References

HomeEventsBlogResourcesTeam