216.73.217.64

CVE-2026-48708

· Published 15/06/2026 23:17 · Modified 16/06/2026 15:49 · Author: The MITRE Corporation

Labels: CVE-2026-48708 2026-06-15CVE-2026-48708CWE-362[email protected]

Essential information

Published
15/06/2026 23:17
Modified
16/06/2026 15:49
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CWE-362
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
olivetin / olivetin cpe:2.3:a:olivetin:olivetin:3000.0.0:*:*:*:*:*:*:*

References