CVE-2026-56004
CriticalCVSS 10.0Summary
A shellcode injection vulnerability in the Mercurial handler of the obs tar_scm source service before version 0.12.4 allows attackers with a malicious _service file to execute code as the source service or the local user.
Risk Assessment
The risk includes unauthorized code execution on the server or workstation, potentially leading to system compromise, data theft, or further attack propagation.
Recommendation
Immediately update obs tar_scm to version 0.12.4 or later. Restrict access to _service files to trusted users only.
Original NVD description (English source)
A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

