{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T00:43:43.193","vulnerabilities":[{"cve":{"id":"CVE-2026-31817","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T22:16:19.167","lastModified":"2026-03-12T18:12:18.937","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file path, allowing an attacker to use directory traversal sequences (e.g., ../../../) to write files to arbitrary locations on the filesystem. This vulnerability is fixed in 3000.11.2."},{"lang":"es","value":"OliveTin da acceso a comandos shell predefinidos desde una interfaz web. Antes de la versión 3000.11.2, cuando la función saveLogs está habilitada, OliveTin persiste las entradas del registro de ejecución en el disco. El nombre de archivo utilizado para estos archivos de registro se construye en parte a partir del campo UniqueTrackingId proporcionado por el usuario en la solicitud de la API StartAction. Este valor no se valida ni se sanea antes de ser utilizado en una ruta de archivo, lo que permite a un atacante utilizar secuencias de salto de directorio (por ejemplo, ../../../) para escribir archivos en ubicaciones arbitrarias del sistema de archivos. Esta vulnerabilidad se corrige en la versión 3000.11.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:olivetin:olivetin:*:*:*:*:*:*:*:*","versionEndExcluding":"3000.11.2","matchCriteriaId":"E567D99A-8144-49A6-B3A5-D5ADC096809A"}]}]}],"references":[{"url":"https://github.com/OliveTin/OliveTin/security/advisories/GHSA-364q-w7vh-vhpc","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}