CVE-2026-56004
Received Received - Intake

Shellcode Injection in OBS tar_scm Source Service

Vulnerability report for CVE-2026-56004, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: SUSE

Description

A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opensuse obs-service-tar_scm to 0.12.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade the obs-service-tar_scm package to version 0.12.4 or later, where the vulnerability has been fixed by improved input sanitization and validation.

Additionally, ensure that only trusted _service files are used and avoid allowing untrusted users to provide or modify these files.

Review and restrict the revision and URL parameters to prevent injection of malicious input, and monitor for any suspicious activity related to Mercurial commands.

Executive Summary

This vulnerability is a shellcode injection issue in the mercurial handler of the obs tar_scm source service before version 0.12.4. Attackers who can provide a malicious _service file may execute arbitrary code as the source service or the local user checking out the malicious services.

The root cause involves insufficient input sanitization for revision and URL options, allowing command or option injection attacks. The vulnerability allows attackers to inject shellcode by manipulating these inputs.

Impact Analysis

This vulnerability can lead to remote code execution with the privileges of the source service or the local user performing the checkout. This means an attacker could execute arbitrary commands, potentially compromising the system, stealing data, or disrupting services.

Because the CVSS base score is 8.8, it is considered a high severity issue, indicating significant impact on confidentiality, integrity, and availability.

Detection Guidance

Detection of this vulnerability involves checking if the obs-service-tar_scm package is at a vulnerable version prior to 0.12.4 and monitoring for suspicious _service files that could be used to inject shellcode.

Since the vulnerability involves shellcode injection via malicious _service files and improper input sanitization of revision and URL parameters, you can look for unusual or malformed revision strings or URLs in the service configurations.

Commands to help detect potential exploitation attempts might include:

  • Searching for _service files with suspicious content: `grep -r --include='*_service' -E '[;|&$<>]' /path/to/obs/services/`
  • Checking the installed version of obs-service-tar_scm: `rpm -q obs-service-tar_scm` or `zypper info obs-service-tar_scm`
  • Monitoring logs for errors or unusual messages related to Mercurial (hg) commands or revision/URL parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart