CVE Catalog

CVE-2026-48708

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

OliveTin in versions 3000.0.0 and prior allows access to predefined shell commands from a web interface. The use of a shared template engine instance without synchronization leads to race conditions, resulting in cross-user command contamination and execution errors.

Risk Assessment

The organization may be exposed to unauthorized command execution and application crashes, which can lead to serious security and stability issues.

Recommendation

It is recommended to upgrade to version 3000.13.0 or later to eliminate this vulnerability and ensure the proper functioning of the application.

Original NVD description (English source)

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS