CVE-2026-48708

Source
https://cve.org/CVERecord?id=CVE-2026-48708
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48708.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48708
Aliases
Published
2026-06-15T19:59:27.859Z
Modified
2026-07-15T01:49:04.544027996Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination
Details

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

Database specific
{
    "cwe_ids": [
        "CWE-362",
        "CWE-567"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48708.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/olivetin/olivetin

Affected ranges

Type
GIT
Repo
https://github.com/olivetin/olivetin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3000.13.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

2021-05-19.*
2021-05-19.28
2021-05-24.*
2021-05-24.f44
Other
2021-05-25
2021-05-28
2021-07-16
2021-07-19
2021-11-17
2021-11-17-2
2021-11-19
2022-01-06
2022-04-07
2022-10-19
2021-11-02.*
2021-11-02.alpha1-task-arguments
2022.*
2022.11.11
2022.11.14
2023.*
2023.02.16
2023.03.22
2023.03.24
2023.03.24-2
2023.03.24-3
2023.03.24-4
2023.03.25
2023.10.09
2023.10.12
2023.10.24
2023.10.25
2023.12.1
2023.12.17
2023.12.20
2023.12.21
2024.*
2024.02.01
2024.02.27
2024.02.28
2024.03.01
2024.03.05
2024.03.06
2024.03.08
2024.03.081
2024.03.24
2024.04.021
2024.04.09
2024.04.11
2024.04.14
2024.04.18
2024.04.20
2024.04.26
2024.04.261
2024.04.28
2024.05.13
2024.05.24
2024.05.27
2024.05.31
2024.05.51
2024.06.01
2024.06.02
2024.06.04
2024.07.03
2024.07.06
2024.07.07
2024.07.13
2024.07.15
2024.07.152
2024.07.153
2024.07.16
2024.08.14
2024.08.25
2024.08.31
2024.09.02
2024.09.10
2024.09.11
2024.09.16
2024.10.01
2024.10.02
2024.10.14
2024.10.17
2024.10.18
2024.10.26
2024.10.27
2024.11.02
2024.11.09
2024.11.18
2024.11.24
2024.12.11
2025.*
2025.2.19
2025.2.21
2025.3.23
2025.3.28
2025.4.14
2025.4.21
2025.4.22
2025.4.8
2025.5.26
2025.6.1
2025.6.22
2025.6.6
2025.7.13
2025.7.19
3000.*
3000.0.0
3000.0.1
3000.0.2
3000.1.0
3000.1.1
3000.1.2
3000.10.0
3000.10.1
3000.10.2
3000.11.0
3000.11.1
3000.11.2
3000.11.3
3000.11.4
3000.12.0
3000.2.0
3000.2.1
3000.3.0
3000.3.1
3000.3.2
3000.4.0
3000.5.0
3000.6.0
3000.7.0
3000.8.0
3000.9.0
3000.9.1
3000.9.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48708.json"