CVE-2026-56004 CRITICAL

CVE-2026-56004: obs-service-tar_scm: command injection via mercurial handler

Vendor Opensuse
Product buildservice
Weakness CWE-78
Published July 2, 2026
Last update July 2, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

Key dates

02Disclosure timeline

July 2, 2026 CVE published
July 2, 2026 Record updated