{"id":"CVE-2026-56004","summary":"obs-service-tar_scm: command injection via mercurial handler","details":"A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services","modified":"2026-07-08T08:14:12.319371626Z","published":"2026-07-02T14:54:02.119Z","related":["openSUSE-SU-2026:11189-1"],"database_specific":{"cna_assigner":"suse","cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56004.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56004.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56004"},{"type":"FIX","url":"https://github.com/openSUSE/obs-service-tar_scm/pull/552/changes/bcf29d318c671c45fe87dd9f995a4a0c78ecedd7"},{"type":"PACKAGE","url":"https://github.com/openSUSE/obs-service-tar_scm"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensuse/obs-service-tar_scm","events":[{"introduced":"0"},{"fixed":"991e3a1f2e87c0b611deefb8d95f38a2a25c42a3"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.12.4"}],"source":["AFFECTED_FIELD","DESCRIPTION"]}}],"versions":["0.12.3","0.12.0","0.12.2","0.12.1","0.11.1","0.11.0","0.10.53","0.10.52","0.10.51","0.10.50","0.10.49","0.10.48","0.10.47","0.10.46","0.10.45","0.10.44","0.10.43","0.10.42","0.10.41","0.10.40","0.10.39","0.10.38","0.10.37","0.10.36","0.10.35","0.10.34","0.10.33","0.10.32","0.10.31","0.10.30","0.10.29","0.10.28","0.10.27","0.10.26","0.10.25","0.10.24","0.10.23","0.10.22","0.10.21","0.10.20","0.10.18","0.10.19","0.10.17","0.10.16","0.10.15","0.10.14","0.10.13","0.10.12","0.10.11","0.10.10","v0.10.9","v0.10.8","v0.10.7","v0.10.6","v0.10.5","v0.10.4","v0.10.3","v0.10.2","v0.10.1","v0.10.0","v0.9.4","v0.9.5","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.8.0","v0.7.0","v0.6.0","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.2","before-python-rewrite","v0.2.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56004.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}