<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-05T16:42:23.660487+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/ce085e74-1bdc-4f9a-a3a0-b25079c1a366/export</id>
    <title>ce085e74-1bdc-4f9a-a3a0-b25079c1a366</title>
    <updated>2026-07-05T16:42:23.684137+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "ce085e74-1bdc-4f9a-a3a0-b25079c1a366", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48704", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mp2vejghfq2f", "content": "CVE-2026-48704 - Warp Markdown notebook links may open executable local files\nCVE ID : CVE-2026-48704\n \n Published : June 24, 2026, 5:35 p.m. | 3\u00a0hours, 35\u00a0minutes ago\n \n Description : Warp is an agentic development environment. From 0.2023.10.24.08.03.stable_00 until 0.2026.0...", "creation_timestamp": "2026-06-24T21:48:12.107957Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/ce085e74-1bdc-4f9a-a3a0-b25079c1a366/export"/>
    <published>2026-06-24T21:48:12.107957+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/10b19d20-1371-425a-a757-d2f1d7093535/export</id>
    <title>10b19d20-1371-425a-a757-d2f1d7093535</title>
    <updated>2026-07-05T16:42:23.686632+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "10b19d20-1371-425a-a757-d2f1d7093535", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48708", "type": "seen", "source": "https://gist.github.com/alon710/3e7dd842c80dfd534275b1d215c3d4b9", "content": "# CVE-2026-48708: CVE-2026-48708: Concurrent Template Parsing Race Condition in OliveTin leading to Cross-Request Command Contamination\n\n&amp;gt; **CVSS Score:** 7.5\n&amp;gt; **Published:** 2026-06-24\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48708\n\n## Summary\nCVE-2026-48708 details a critical concurrency synchronization flaw in OliveTin versions &amp;lt; 3000.13.0. A shared package-level text/template.Template instance is accessed concurrently across multiple goroutines without proper synchronization. When concurrent request processing occurs, a race condition causes Go runtime panics or command contamination across separate sessions, enabling denial of service or execution of contaminated commands.\n\n## TL;DR\nA concurrent template parsing race condition in OliveTin allows authenticated users to crash the daemon or cause cross-request command contamination, potentially executing unauthorized commands.\n\n## Technical Details\n\n- **CWE ID**: CWE-362\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00349 (0.349%)\n- **Exploit Status**: None / Theoretical\n- **CISA KEV Status**: Not Listed\n- **Primary Impact**: Denial of Service / Command Contamination\n\n## Affected Systems\n\n- OliveTin versions prior to 3000.13.0\n- **OliveTin**: &amp;lt; 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later.\n- Implement strict rate-limiting on reverse proxies to limit concurrent execution requests to 1.\n- Restrict access to the OliveTin control panel using strong multi-factor authentication and trusted IP networks.\n\n**Remediation Steps:**\n1. Identify current OliveTin deployments running versions prior to 3000.13.0.\n2. Pull the updated Docker image or download the latest binary from the official release page: https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0\n3. Deploy the update and restart the daemon to apply the template isolation patches.\n4. Validate the update by checking logs for the absence of Go concurrent map write panic traces.\n\n## References\n\n- [GitHub Security Advisory GHSA-7fq5-7wr8-rjwj](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj)\n- [OliveTin Remediation Commit](https://github.com/OliveTin/OliveTin/commit/d74da9314005954dd49fa20dabf272247bc76519)\n- [OliveTin Release 3000.13.0](https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0)\n- [CVE.org Official Record](https://www.cve.org/CVERecord?id=CVE-2026-48708)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48708) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T20:02:14.810358Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/10b19d20-1371-425a-a757-d2f1d7093535/export"/>
    <published>2026-06-24T20:02:14.810358+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/7063a9f8-32ad-4029-8c0d-714494ed320b/export</id>
    <title>7063a9f8-32ad-4029-8c0d-714494ed320b</title>
    <updated>2026-07-05T16:42:23.686729+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "7063a9f8-32ad-4029-8c0d-714494ed320b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48708", "type": "seen", "source": "https://gist.github.com/alon710/cb59405487e5944ed006860e5bc630ab", "content": "# CVE-2026-48708: CVE-2026-48708: Concurrent Template Parsing Race Condition in OliveTin leading to Cross-Request Command Contamination\n\n&amp;gt; **CVSS Score:** 7.5\n&amp;gt; **Published:** 2026-06-24\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48708\n\n## Summary\nCVE-2026-48708 details a critical concurrency synchronization flaw in OliveTin versions &amp;lt; 3000.13.0. A shared package-level text/template.Template instance is accessed concurrently across multiple goroutines without proper synchronization. When concurrent request processing occurs, a race condition causes Go runtime panics or command contamination across separate sessions, enabling denial of service or execution of contaminated commands.\n\n## TL;DR\nA concurrent template parsing race condition in OliveTin allows authenticated users to crash the daemon or cause cross-request command contamination, potentially executing unauthorized commands.\n\n## Technical Details\n\n- **CWE ID**: CWE-362\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00349 (0.349%)\n- **Exploit Status**: None / Theoretical\n- **CISA KEV Status**: Not Listed\n- **Primary Impact**: Denial of Service / Command Contamination\n\n## Affected Systems\n\n- OliveTin versions prior to 3000.13.0\n- **OliveTin**: &amp;lt; 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later.\n- Implement strict rate-limiting on reverse proxies to limit concurrent execution requests to 1.\n- Restrict access to the OliveTin control panel using strong multi-factor authentication and trusted IP networks.\n\n**Remediation Steps:**\n1. Identify current OliveTin deployments running versions prior to 3000.13.0.\n2. Pull the updated Docker image or download the latest binary from the official release page: https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0\n3. Deploy the update and restart the daemon to apply the template isolation patches.\n4. Validate the update by checking logs for the absence of Go concurrent map write panic traces.\n\n## References\n\n- [GitHub Security Advisory GHSA-7fq5-7wr8-rjwj](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj)\n- [OliveTin Remediation Commit](https://github.com/OliveTin/OliveTin/commit/d74da9314005954dd49fa20dabf272247bc76519)\n- [OliveTin Release 3000.13.0](https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0)\n- [CVE.org Official Record](https://www.cve.org/CVERecord?id=CVE-2026-48708)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48708) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T19:54:03.179003Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/7063a9f8-32ad-4029-8c0d-714494ed320b/export"/>
    <published>2026-06-24T19:54:03.179003+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/a2146757-f5ab-430e-bd03-70b0f1bac47c/export</id>
    <title>a2146757-f5ab-430e-bd03-70b0f1bac47c</title>
    <updated>2026-07-05T16:42:23.686810+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "a2146757-f5ab-430e-bd03-70b0f1bac47c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48709", "type": "seen", "source": "https://gist.github.com/alon710/1366cab1be37fd922161593dd6bd5218", "content": "# CVE-2026-48709: CVE-2026-48709: Missing Authorization in OliveTin ValidateArgumentType RPC Endpoint\n\n&amp;gt; **CVSS Score:** 3.7\n&amp;gt; **Published:** 2026-06-24\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48709\n\n## Summary\nA missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.\n\n## TL;DR\nOliveTin prior to version 3000.13.0 exposes its ValidateArgumentType API endpoint to unauthenticated guest users. Remote attackers can leverage this missing access control to execute oracle-style enumeration attacks, mapping out administrative action binding IDs and parameter requirements.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00269\n- **Impact**: Low (Information Disclosure / Reconnaissance)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- OliveTin (All versions prior to 3000.13.0)\n- **OliveTin**: &amp;lt; 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later\n- Deploy a reverse proxy (Nginx/Caddy) to block access to the ValidateArgumentType RPC endpoints\n- Use high-entropy, randomized action titles to prevent brute-forcing of binding IDs\n\n**Remediation Steps:**\n1. Step 1: Identify all running OliveTin containers or binary instances in the environment.\n2. Step 2: Update the deployment configurations (Docker Compose, systemd) to reference version 3000.13.0 or higher.\n3. Step 3: If upgrade is delayed, add a location block in the reverse proxy configuration to return 403 for /api/ValidateArgumentType.\n4. Step 4: Audit existing action titles and rewrite highly predictable names using high-entropy suffixes.\n\n## References\n\n- [GHSA-f637-w7p2-m7fx: OliveTin Missing Authorization in ValidateArgumentType](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx)\n- [NVD - CVE-2026-48709 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48709)\n- [OliveTin GitHub Project Page](https://github.com/OliveTin/OliveTin)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48709) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T19:04:03.100639Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/a2146757-f5ab-430e-bd03-70b0f1bac47c/export"/>
    <published>2026-06-24T19:04:03.100639+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/258998c1-54ba-4029-bb11-c6cda285967b/export</id>
    <title>258998c1-54ba-4029-bb11-c6cda285967b</title>
    <updated>2026-07-05T16:42:23.686890+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "258998c1-54ba-4029-bb11-c6cda285967b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48709", "type": "seen", "source": "https://gist.github.com/alon710/f2b2f51072808beda8e52a43b0bdd064", "content": "# CVE-2026-48709: CVE-2026-48709: Missing Authorization in OliveTin ValidateArgumentType RPC Endpoint\n\n&amp;gt; **CVSS Score:** 3.7\n&amp;gt; **Published:** 2026-06-24\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48709\n\n## Summary\nA missing authorization vulnerability in the OliveTin system allows unauthenticated remote actors to query the ValidateArgumentType RPC endpoint. By exploiting this flaw, attackers can execute systematic brute-force and side-channel validation attacks to enumerate active action binding IDs, parameter structures, and operational metadata, bypassing configured guest authentication barriers.\n\n## TL;DR\nOliveTin prior to version 3000.13.0 exposes its ValidateArgumentType API endpoint to unauthenticated guest users. Remote attackers can leverage this missing access control to execute oracle-style enumeration attacks, mapping out administrative action binding IDs and parameter requirements.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-862\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00269\n- **Impact**: Low (Information Disclosure / Reconnaissance)\n- **Exploit Status**: Proof of Concept (PoC) documented\n- **KEV Status**: Not listed in CISA KEV\n\n## Affected Systems\n\n- OliveTin (All versions prior to 3000.13.0)\n- **OliveTin**: &amp;lt; 3000.13.0 (Fixed in: `3000.13.0`)\n\n## Mitigation\n\n- Upgrade OliveTin to version 3000.13.0 or later\n- Deploy a reverse proxy (Nginx/Caddy) to block access to the ValidateArgumentType RPC endpoints\n- Use high-entropy, randomized action titles to prevent brute-forcing of binding IDs\n\n**Remediation Steps:**\n1. Step 1: Identify all running OliveTin containers or binary instances in the environment.\n2. Step 2: Update the deployment configurations (Docker Compose, systemd) to reference version 3000.13.0 or higher.\n3. Step 3: If upgrade is delayed, add a location block in the reverse proxy configuration to return 403 for /api/ValidateArgumentType.\n4. Step 4: Audit existing action titles and rewrite highly predictable names using high-entropy suffixes.\n\n## References\n\n- [GHSA-f637-w7p2-m7fx: OliveTin Missing Authorization in ValidateArgumentType](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx)\n- [NVD - CVE-2026-48709 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-48709)\n- [OliveTin GitHub Project Page](https://github.com/OliveTin/OliveTin)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48709) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T18:43:21.864665Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/258998c1-54ba-4029-bb11-c6cda285967b/export"/>
    <published>2026-06-24T18:43:21.864665+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/ee9567de-ac9f-4c30-b983-6635cfdeb129/export</id>
    <title>ee9567de-ac9f-4c30-b983-6635cfdeb129</title>
    <updated>2026-07-05T16:42:23.686968+00:00</updated>
    <author>
      <name>Joseph Lee</name>
      <uri>https://cvepremium.circl.lu/user/syspect</uri>
    </author>
    <content>{"uuid": "ee9567de-ac9f-4c30-b983-6635cfdeb129", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48708", "type": "published-proof-of-concept", "source": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-7fq5-7wr8-rjwj", "content": "", "creation_timestamp": "2026-06-24T18:35:07.665338Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/ee9567de-ac9f-4c30-b983-6635cfdeb129/export"/>
    <published>2026-06-24T18:35:07.665338+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/cd8be0af-a6ff-42c3-a67b-af9d1f1f68e1/export</id>
    <title>cd8be0af-a6ff-42c3-a67b-af9d1f1f68e1</title>
    <updated>2026-07-05T16:42:23.687718+00:00</updated>
    <author>
      <name>Joseph Lee</name>
      <uri>https://cvepremium.circl.lu/user/syspect</uri>
    </author>
    <content>{"uuid": "cd8be0af-a6ff-42c3-a67b-af9d1f1f68e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48709", "type": "published-proof-of-concept", "source": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx", "content": "", "creation_timestamp": "2026-06-24T18:35:05.246942Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/cd8be0af-a6ff-42c3-a67b-af9d1f1f68e1/export"/>
    <published>2026-06-24T18:35:05.246942+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/e139f191-2831-438b-ad3b-a67df7c60117/export</id>
    <title>e139f191-2831-438b-ad3b-a67df7c60117</title>
    <updated>2026-07-05T16:42:23.687790+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "e139f191-2831-438b-ad3b-a67df7c60117", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48700", "type": "seen", "source": "https://bsky.app/profile/matoken.inari.opencocon.org.ap.brid.gy/post/3mmmusivcvso2", "content": "\u6700\u8fd1\u4f7f\u3063\u3066\u3044\u308b\u30d5\u30a1\u30a4\u30e9\u30fc\u306bCVE\u304c\n\nCVE Record: CVE-2026-48700 https://www.cve.org/CVERecord?id=CVE-2026-48700", "creation_timestamp": "2026-05-24T21:10:32.389712Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/e139f191-2831-438b-ad3b-a67df7c60117/export"/>
    <published>2026-05-24T21:10:32.389712+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/f0021020-7669-4e3e-af43-c2729fbbcc5c/export</id>
    <title>f0021020-7669-4e3e-af43-c2729fbbcc5c</title>
    <updated>2026-07-05T16:42:23.687858+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "f0021020-7669-4e3e-af43-c2729fbbcc5c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48700", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmi2fe6z5d2h", "content": "CVE-2026-48700 - PCManFM-Qt File Path URI Execution\nCVE ID : CVE-2026-48700\n \n Published : May 22, 2026, 6:43 p.m. | 1\u00a0hour, 37\u00a0minutes ago\n \n Description : An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI...", "creation_timestamp": "2026-05-22T23:07:23.664837Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/f0021020-7669-4e3e-af43-c2729fbbcc5c/export"/>
    <published>2026-05-22T23:07:23.664837+00:00</published>
  </entry>
</feed>
