Shellcode Injection in openSUSE obs_tar_scm before 0.12.4
CVE-2026-56004 Published on July 2, 2026
obs-service-tar_scm: command injection via mercurial handler
A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services
Vulnerability Analysis
CVE-2026-56004 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-56004 has been classified to as a Shell injection vulnerability or weakness.
Affected Versions
openSUSE buildservice:- Before 0.12.4 is affected.