Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
22 vulnerabilities found for olivetin by olivetin
CVE-2026-32102 (GCVE-0-2026-32102)
Vulnerability from nvd – Published: 2026-03-11 20:05 – Updated: 2026-03-12 19:47
VLAI?
Title
OliveTin Unauthorized Action Output Disclosure via EventStream
Summary
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32102",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T19:47:31.122427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T19:47:37.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin\u2019s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T20:05:16.164Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7"
}
],
"source": {
"advisory": "GHSA-228v-wc5r-j8m7",
"discovery": "UNKNOWN"
},
"title": "OliveTin Unauthorized Action Output Disclosure via EventStream"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32102",
"datePublished": "2026-03-11T20:05:16.164Z",
"dateReserved": "2026-03-10T22:02:38.854Z",
"dateUpdated": "2026-03-12T19:47:37.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31817 (GCVE-0-2026-31817)
Vulnerability from nvd – Published: 2026-03-10 21:08 – Updated: 2026-03-11 15:19
VLAI?
Title
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2.
Severity ?
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31817",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:10:48.955922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:19:29.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T00:09:56.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc"
}
],
"source": {
"advisory": "GHSA-364q-w7vh-vhpc",
"discovery": "UNKNOWN"
},
"title": "OliveTin\u0027s unsafe parsing of UniqueTrackingId can be used to write files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31817",
"datePublished": "2026-03-10T21:08:53.873Z",
"dateReserved": "2026-03-09T17:41:56.075Z",
"dateUpdated": "2026-03-11T15:19:29.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30233 (GCVE-0-2026-30233)
Vulnerability from nvd – Published: 2026-03-06 21:05 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: View permission not being checked when returning dashboards
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:46:55.609824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:05:36.698Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-jf73-858c-54pg",
"discovery": "UNKNOWN"
},
"title": "OliveTin: View permission not being checked when returning dashboards"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30233",
"datePublished": "2026-03-06T21:05:36.698Z",
"dateReserved": "2026-03-04T17:23:59.798Z",
"dateUpdated": "2026-03-09T20:54:29.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30225 (GCVE-0-2026-30225)
Vulnerability from nvd – Published: 2026-03-06 21:03 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: RestartAction always runs actions as guest
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:02.628432Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low\u2011privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller\u2019s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low\u2011privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:03:55.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-p443-p7w5-2f7f",
"discovery": "UNKNOWN"
},
"title": "OliveTin: RestartAction always runs actions as guest"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30225",
"datePublished": "2026-03-06T21:03:55.994Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30224 (GCVE-0-2026-30224)
Vulnerability from nvd – Published: 2026-03-06 21:01 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
Severity ?
5.4 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:41.862749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default \u2248 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:01:37.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-gq2m-77hf-vwgh",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30224",
"datePublished": "2026-03-06T21:01:37.027Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30223 (GCVE-0-2026-30223)
Vulnerability from nvd – Published: 2026-03-06 21:01 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:22.328936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either \"authJwtPubKeyPath\" (local RSA public key) or \"authJwtHmacSecret\" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:01:44.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-g962-2j28-3cg9",
"discovery": "UNKNOWN"
},
"title": "OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30223",
"datePublished": "2026-03-06T21:01:44.731Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28790 (GCVE-0-2026-28790)
Vulnerability from nvd – Published: 2026-03-05 19:34 – Updated: 2026-03-06 17:57
VLAI?
Title
OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28790",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T17:57:00.483301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:57:04.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T19:34:53.951Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"
}
],
"source": {
"advisory": "GHSA-4fqm-6fmh-82mq",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28790",
"datePublished": "2026-03-05T19:34:53.951Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-06T17:57:04.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28789 (GCVE-0-2026-28789)
Vulnerability from nvd – Published: 2026-03-05 19:33 – Updated: 2026-03-06 18:01
VLAI?
Title
OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28789",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:01:34.546987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:01:38.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-662",
"description": "CWE-662: Improper Synchronization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T19:33:46.924Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"
}
],
"source": {
"advisory": "GHSA-45m3-398w-m2m9",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28789",
"datePublished": "2026-03-05T19:33:46.924Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-06T18:01:38.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28342 (GCVE-0-2026-28342)
Vulnerability from nvd – Published: 2026-03-05 19:33 – Updated: 2026-03-06 18:02
VLAI?
Title
OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28342",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:02:37.019994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:02:40.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T19:33:44.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2"
}
],
"source": {
"advisory": "GHSA-pc8g-78pf-4xrp",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28342",
"datePublished": "2026-03-05T19:33:44.300Z",
"dateReserved": "2026-02-26T18:38:13.889Z",
"dateUpdated": "2026-03-06T18:02:40.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27626 (GCVE-0-2026-27626)
Vulnerability from nvd – Published: 2026-02-25 02:43 – Updated: 2026-02-27 17:07
VLAI?
Title
OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Summary
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Severity ?
10 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27626",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:07:18.531616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:07:28.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c= 3000.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin\u0027s shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:43:08.189Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf"
}
],
"source": {
"advisory": "GHSA-49gm-hh7w-wfvf",
"discovery": "UNKNOWN"
},
"title": "OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27626",
"datePublished": "2026-02-25T02:43:08.189Z",
"dateReserved": "2026-02-20T22:02:30.027Z",
"dateUpdated": "2026-02-27T17:07:28.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-50946 (GCVE-0-2025-50946)
Vulnerability from nvd – Published: 2025-08-13 00:00 – Updated: 2025-08-13 20:20
VLAI?
Summary
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T20:20:11.218098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T20:20:45.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T17:13:50.383Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/OliveTin/OliveTin"
},
{
"url": "https://github.com/OliveTin/OliveTin/blob/8c073bf45fca6c6eda4e8a9feb182433277343ee/service/internal/executor/arguments.go#L211"
},
{
"url": "https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-50946/CVE-2025-50946.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50946",
"datePublished": "2025-08-13T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-08-13T20:20:45.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-32102 (GCVE-0-2026-32102)
Vulnerability from cvelistv5 – Published: 2026-03-11 20:05 – Updated: 2026-03-12 19:47
VLAI?
Title
OliveTin Unauthorized Action Output Disclosure via EventStream
Summary
OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32102",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T19:47:31.122427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T19:47:37.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin\u2019s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T20:05:16.164Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7"
}
],
"source": {
"advisory": "GHSA-228v-wc5r-j8m7",
"discovery": "UNKNOWN"
},
"title": "OliveTin Unauthorized Action Output Disclosure via EventStream"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32102",
"datePublished": "2026-03-11T20:05:16.164Z",
"dateReserved": "2026-03-10T22:02:38.854Z",
"dateUpdated": "2026-03-12T19:47:37.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31817 (GCVE-0-2026-31817)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:08 – Updated: 2026-03-11 15:19
VLAI?
Title
OliveTin's unsafe parsing of UniqueTrackingId can be used to write files
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2.
Severity ?
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31817",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:10:48.955922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:19:29.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T00:09:56.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc"
}
],
"source": {
"advisory": "GHSA-364q-w7vh-vhpc",
"discovery": "UNKNOWN"
},
"title": "OliveTin\u0027s unsafe parsing of UniqueTrackingId can be used to write files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31817",
"datePublished": "2026-03-10T21:08:53.873Z",
"dateReserved": "2026-03-09T17:41:56.075Z",
"dateUpdated": "2026-03-11T15:19:29.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30233 (GCVE-0-2026-30233)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:05 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: View permission not being checked when returning dashboards
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:46:55.609824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:05:36.698Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-jf73-858c-54pg",
"discovery": "UNKNOWN"
},
"title": "OliveTin: View permission not being checked when returning dashboards"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30233",
"datePublished": "2026-03-06T21:05:36.698Z",
"dateReserved": "2026-03-04T17:23:59.798Z",
"dateUpdated": "2026-03-09T20:54:29.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30225 (GCVE-0-2026-30225)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:03 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: RestartAction always runs actions as guest
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:02.628432Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low\u2011privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal connect.Request without preserving the original caller\u2019s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution. This vulnerability allows a low\u2011privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:03:55.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-p443-p7w5-2f7f",
"discovery": "UNKNOWN"
},
"title": "OliveTin: RestartAction always runs actions as guest"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30225",
"datePublished": "2026-03-06T21:03:55.994Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30223 (GCVE-0-2026-30223)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:01 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:22.328936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either \"authJwtPubKeyPath\" (local RSA public key) or \"authJwtHmacSecret\" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:01:44.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-g962-2j28-3cg9"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/e97d8ecbd8d6ba468c418ca496fcd18f78131233"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-g962-2j28-3cg9",
"discovery": "UNKNOWN"
},
"title": "OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30223",
"datePublished": "2026-03-06T21:01:44.731Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30224 (GCVE-0-2026-30224)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:01 – Updated: 2026-03-09 20:54
VLAI?
Title
OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.
Severity ?
5.4 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:49:41.862749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:29.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default \u2248 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:01:37.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-gq2m-77hf-vwgh"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/d6a0abc3755d43107be1939567c52953bcbec3d5"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"source": {
"advisory": "GHSA-gq2m-77hf-vwgh",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Session Fixation - Logout Fails to Invalidate Server-Side Session"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30224",
"datePublished": "2026-03-06T21:01:37.027Z",
"dateReserved": "2026-03-04T17:23:59.797Z",
"dateUpdated": "2026-03-09T20:54:29.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28790 (GCVE-0-2026-28790)
Vulnerability from cvelistv5 – Published: 2026-03-05 19:34 – Updated: 2026-03-06 17:57
VLAI?
Title
OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28790",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T17:57:00.483301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:57:04.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T19:34:53.951Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"
}
],
"source": {
"advisory": "GHSA-4fqm-6fmh-82mq",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28790",
"datePublished": "2026-03-05T19:34:53.951Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-06T17:57:04.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28789 (GCVE-0-2026-28789)
Vulnerability from cvelistv5 – Published: 2026-03-05 19:33 – Updated: 2026-03-06 18:01
VLAI?
Title
OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28789",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:01:34.546987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:01:38.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-662",
"description": "CWE-662: Improper Synchronization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T19:33:46.924Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"
}
],
"source": {
"advisory": "GHSA-45m3-398w-m2m9",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Unauthenticated DoS via concurrent map writes in OAuth2 state handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28789",
"datePublished": "2026-03-05T19:33:46.924Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-06T18:01:38.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28342 (GCVE-0-2026-28342)
Vulnerability from cvelistv5 – Published: 2026-03-05 19:33 – Updated: 2026-03-06 18:02
VLAI?
Title
OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint
Summary
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28342",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:02:37.019994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:02:40.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T19:33:44.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp"
},
{
"name": "https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2"
}
],
"source": {
"advisory": "GHSA-pc8g-78pf-4xrp",
"discovery": "UNKNOWN"
},
"title": "OliveTin: Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28342",
"datePublished": "2026-03-05T19:33:44.300Z",
"dateReserved": "2026-02-26T18:38:13.889Z",
"dateUpdated": "2026-03-06T18:02:40.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27626 (GCVE-0-2026-27626)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:43 – Updated: 2026-02-27 17:07
VLAI?
Title
OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Summary
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available.
Severity ?
10 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27626",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:07:18.531616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:07:28.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c= 3000.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin\u0027s shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via webhook-extracted JSON values that skip type safety checks entirely before reaching `sh -c`. When exploiting vector 1, any authenticated user (registration enabled by default, `authType: none` by default) can execute arbitrary OS commands on the OliveTin host with the permissions of the OliveTin process. When exploiting vector 2, an unauthenticated attacker can achieve the same if the instance receives webhooks from external sources, which is a primary OliveTin use case. When an attacker exploits both vectors, this results in unauthenticated RCE on any OliveTin instance using Shell mode with webhook-triggered actions. As of time of publication, a patched version is not available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:43:08.189Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf"
}
],
"source": {
"advisory": "GHSA-49gm-hh7w-wfvf",
"discovery": "UNKNOWN"
},
"title": "OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27626",
"datePublished": "2026-02-25T02:43:08.189Z",
"dateReserved": "2026-02-20T22:02:30.027Z",
"dateUpdated": "2026-02-27T17:07:28.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-50946 (GCVE-0-2025-50946)
Vulnerability from cvelistv5 – Published: 2025-08-13 00:00 – Updated: 2025-08-13 20:20
VLAI?
Summary
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T20:20:11.218098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T20:20:45.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T17:13:50.383Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/OliveTin/OliveTin"
},
{
"url": "https://github.com/OliveTin/OliveTin/blob/8c073bf45fca6c6eda4e8a9feb182433277343ee/service/internal/executor/arguments.go#L211"
},
{
"url": "https://github.com/chrisWalker11/Cves/blob/main/CVE-2025-50946/CVE-2025-50946.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50946",
"datePublished": "2025-08-13T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-08-13T20:20:45.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}