CVE-2026-48708

Published: Giu 15, 2026 Last Modified: Giu 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,5

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0035

Percentile

0,3th

Updated

EPSS Score Trend (Last 2 Days)

362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Confidentiality Integrity Access Control

Potential Impacts:

Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Dos: Crash, Exit, Or Restart Dos: Instability Read Files Or Directories Read Application Data Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism

Applicable Platforms

Languages: C, C++, Java

Technologies: Mobile, ICS/OT

Likelihood of Exploit: Medium

View CWE Details

567

Unsynchronized Access to Shared Data in a Multithreaded Context

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Modify Application Data Dos: Instability Dos: Crash, Exit, Or Restart

Applicable Platforms

Languages: Java

View CWE Details

https://github.com/OliveTin/OliveTin/security/advisories/GH…

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj

https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0

https://github.com/OliveTin/OliveTin/security/advisories/GH…

https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj

CVE-2026-48708

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 2 Days)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Common Consequences

Applicable Platforms

Unsynchronized Access to Shared Data in a Multithreaded Context

Common Consequences

Applicable Platforms

Iscriviti alla newsletter