CVE-2026-48708
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case β€” each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48708
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
olivetin olivetin to 3000.13.0 (exc)
olivetin olivetin 3000.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OliveTin versions 3000.0.0 and prior, where the template engine uses a single shared template instance across all concurrent goroutines without proper synchronization.

When multiple actions execute concurrently, a race condition occurs because one goroutine's parsing of the template can overwrite the template tree while another goroutine is executing it.

This leads to cross-user command contamination, Go runtime panics, and incorrect command execution.

The issue was fixed in version 3000.13.0.

Impact Analysis

This vulnerability can cause several serious impacts including:

  • Cross-user command contamination, meaning commands intended for one user could be executed in the context of another user.
  • Go runtime panics that can crash the application or service.
  • Incorrect command execution, potentially leading to unauthorized actions or system instability.
Mitigation Strategies

To mitigate this vulnerability, upgrade OliveTin to version 3000.13.0 or later, where the issue has been resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart