sbt 1.12.7 was released, featuring a security fix for CVE-2026-32948, Source dependency feature (via crafted VCS URL) leading to arbitrary code execution on Windows.
This was discovered and fixed by Anatolii “Toli” Kmetiuk at Scala Center, who is also a new sbt committer.