CVE Catalog

CVE-2026-56004

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Summary

A shellcode injection vulnerability in the Mercurial handler of the obs tar_scm source service before version 0.12.4 allows attackers with a malicious _service file to execute code as the source service or the local user.

Risk Assessment

The risk includes unauthorized code execution on the server or workstation, potentially leading to system compromise, data theft, or further attack propagation.

Recommendation

Immediately update obs tar_scm to version 0.12.4 or later. Restrict access to _service files to trusted users only.

Original NVD description (English source)

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

Vulnerability data from NVD (NIST) · CISA KEV · EPSS