CVE-2026-56004
obs-service-tar_scm: command injection via mercurial handler
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services
| CWE | CWE-78 |
| Vendor | opensuse |
| Product | buildservice |
| Published | Jul 2, 2026 |
| Last Updated | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for opensuse buildservice
Be the first to know when new critical vulnerabilities affecting opensuse buildservice are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
openSUSE / buildservice
0 < 0.12.4
References
Credits
Maxime Rinaudo of Fenrisk (www.fenrisk.com <http://www.fenrisk.com>)