https://vulnerability.circl.lu/sightings/feed 2026-06-25T09:54:05.990196+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/ee9567de-ac9f-4c30-b983-6635cfdeb129/export 2026-06-25T09:54:06.008259+00:00 Joseph Lee https://vulnerability.circl.lu/user/syspect {"uuid": "ee9567de-ac9f-4c30-b983-6635cfdeb129", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48708", "type": "published-proof-of-concept", "source": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj", "content": "", "creation_timestamp": "2026-06-24T18:35:07.665338Z"} 2026-06-24T18:35:07.665338+00:00 https://vulnerability.circl.lu/sighting/7063a9f8-32ad-4029-8c0d-714494ed320b/export 2026-06-25T09:54:06.008109+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "7063a9f8-32ad-4029-8c0d-714494ed320b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48708", "type": "seen", "source": "https://gist.github.com/alon710/cb59405487e5944ed006860e5bc630ab", "content": "# CVE-2026-48708: CVE-2026-48708: Concurrent Template Parsing Race Condition in OliveTin leading to Cross-Request Command Contamination\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-24\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48708\n\n## Summary\nCVE-2026-48708 details a critical concurrency synchronization flaw in OliveTin versions < 3000.13.0. A shared package-level text/template.Template instance is accessed concurrently across multiple goroutines without proper synchronization. When concurrent request processing occurs, a race condition causes Go runtime panics or command contamination across separate sessions, enabling denial of service or execution of contaminated commands.\n\n## TL;DR\nA concurrent template parsing race condition in OliveTin allows authenticated users to crash the daemon or cause cross-request command contamination, potentially executing unauthorized commands.\n\n## Technical Details\n\n- **CWE ID**: CWE-362\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00349 (0.349%)\n- **Exploit Status**: None / Theoretical\n- **CISA KEV Status**: Not Listed\n- **Primary Impact**: Denial of Service / Command Contamination\n\n## Affected Systems\n\n- OliveTin versions prior to 3000.13.0\n- **OliveTin**: < 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later.\n- Implement strict rate-limiting on reverse proxies to limit concurrent execution requests to 1.\n- Restrict access to the OliveTin control panel using strong multi-factor authentication and trusted IP networks.\n\n**Remediation Steps:**\n1. Identify current OliveTin deployments running versions prior to 3000.13.0.\n2. Pull the updated Docker image or download the latest binary from the official release page: https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0\n3. Deploy the update and restart the daemon to apply the template isolation patches.\n4. Validate the update by checking logs for the absence of Go concurrent map write panic traces.\n\n## References\n\n- [GitHub Security Advisory GHSA-7fq5-7wr8-rjwj](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj)\n- [OliveTin Remediation Commit](https://github.com/OliveTin/OliveTin/commit/d74da9314005954dd49fa20dabf272247bc76519)\n- [OliveTin Release 3000.13.0](https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0)\n- [CVE.org Official Record](https://www.cve.org/CVERecord?id=CVE-2026-48708)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48708) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T19:54:03.179003Z"} 2026-06-24T19:54:03.179003+00:00 https://vulnerability.circl.lu/sighting/10b19d20-1371-425a-a757-d2f1d7093535/export 2026-06-25T09:54:06.005861+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "10b19d20-1371-425a-a757-d2f1d7093535", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48708", "type": "seen", "source": "https://gist.github.com/alon710/3e7dd842c80dfd534275b1d215c3d4b9", "content": "# CVE-2026-48708: CVE-2026-48708: Concurrent Template Parsing Race Condition in OliveTin leading to Cross-Request Command Contamination\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-24\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48708\n\n## Summary\nCVE-2026-48708 details a critical concurrency synchronization flaw in OliveTin versions < 3000.13.0. A shared package-level text/template.Template instance is accessed concurrently across multiple goroutines without proper synchronization. When concurrent request processing occurs, a race condition causes Go runtime panics or command contamination across separate sessions, enabling denial of service or execution of contaminated commands.\n\n## TL;DR\nA concurrent template parsing race condition in OliveTin allows authenticated users to crash the daemon or cause cross-request command contamination, potentially executing unauthorized commands.\n\n## Technical Details\n\n- **CWE ID**: CWE-362\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00349 (0.349%)\n- **Exploit Status**: None / Theoretical\n- **CISA KEV Status**: Not Listed\n- **Primary Impact**: Denial of Service / Command Contamination\n\n## Affected Systems\n\n- OliveTin versions prior to 3000.13.0\n- **OliveTin**: < 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later.\n- Implement strict rate-limiting on reverse proxies to limit concurrent execution requests to 1.\n- Restrict access to the OliveTin control panel using strong multi-factor authentication and trusted IP networks.\n\n**Remediation Steps:**\n1. Identify current OliveTin deployments running versions prior to 3000.13.0.\n2. Pull the updated Docker image or download the latest binary from the official release page: https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0\n3. Deploy the update and restart the daemon to apply the template isolation patches.\n4. Validate the update by checking logs for the absence of Go concurrent map write panic traces.\n\n## References\n\n- [GitHub Security Advisory GHSA-7fq5-7wr8-rjwj](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj)\n- [OliveTin Remediation Commit](https://github.com/OliveTin/OliveTin/commit/d74da9314005954dd49fa20dabf272247bc76519)\n- [OliveTin Release 3000.13.0](https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0)\n- [CVE.org Official Record](https://www.cve.org/CVERecord?id=CVE-2026-48708)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48708) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T20:02:14.810358Z"} 2026-06-24T20:02:14.810358+00:00