CVE-2026-56004
A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services
View on NVDAnalysis
Una vulnerabilidad crítica de inyección de comandos en el servicio tar_scm de Open Build Service (OBS) permite la ejecución remota de código al procesar repositorios Mercurial. Los atacantes pueden tomar control del sistema mediante archivos de configuración maliciosos durante el proceso de compilación o descarga de fuentes.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-78EPSS
No EPSS score yet (CVE may be too fresh).
Technical description
A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services