Download Latest Version
1.12.11 source code.tar.gz (5.0 MB)
Get an email when there's a new version of sbt
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| sbt-1.12.7.zip.asc | 2026-03-23 | 833 Bytes | |
| sbt-1.12.7.zip.sha256 | 2026-03-23 | 81 Bytes | |
| sbt-1.12.7.tgz.sha256 | 2026-03-23 | 81 Bytes | |
| sbt-1.12.7.zip | 2026-03-23 | 57.2 MB | |
| sbt-1.12.7.tgz.asc | 2026-03-23 | 833 Bytes | |
| sbt-1.12.7.msi.asc | 2026-03-23 | 833 Bytes | |
| sbt-1.12.7.msi.sha256 | 2026-03-23 | 81 Bytes | |
| sbt-1.12.7.tgz | 2026-03-23 | 57.3 MB | |
| sbt-1.12.7.msi | 2026-03-23 | 14.8 MB | |
| 1.12.7 source code.tar.gz | 2026-03-23 | 5.0 MB | |
| 1.12.7 source code.zip | 2026-03-23 | 6.7 MB | |
| README.md | 2026-03-23 | 1.1 kB | |
| Totals: 12 Items | 141.1 MB | 0 | |
CVE-2026-32948 Source dependency feature (via crafted VCS URL) leading to arbitrary code execution on Windows
sbt 1.12.7 fixes CVE-2026-32948 (https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw). Recently @anatoliykmetyuk at Scala Center discovered a vulnerability in sbt's source dependency feature ProjectRef(...) and RootProject(...). The URL for the version control system allows branch specification via the URL fragment, which is passed to Windows cmd shell. A malicious user can craft an URL that allows arbitrary code execution.
Anatolii also provided a fix from a private fork 1ce945 and 3a474a. We recommend upgrading to sbt 1.12.7, especially if you're on Windows.
updates
- Revert Coursier back to 2.12.24 (#8902) by @eed3si9n in https://github.com/sbt/sbt/pull/8918
Full Changelog: https://github.com/sbt/sbt/compare/v1.12.6...v1.12.7
