๐Ÿ” CVE Alert

CVE-2026-56004

CRITICAL 10.0

obs-service-tar_scm: command injection via mercurial handler

CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

CWE CWE-78
Vendor opensuse
Product buildservice
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for opensuse buildservice

Be the first to know when new critical vulnerabilities affecting opensuse buildservice are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

openSUSE / buildservice
0 < 0.12.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openSUSE/obs-service-tar_scm/pull/552/changes/bcf29d318c671c45fe87dd9f995a4a0c78ecedd7

Credits

Maxime Rinaudo of Fenrisk (www.fenrisk.com <http://www.fenrisk.com>)