This document lists known duplicate security advisory clusters for OliveTin/OliveTin. When triaging new reports, check here and open advisories before accepting.
Duplicate policy: the earliest reporter on the canonical advisory receives primary credit. Later reporters are credited on the canonical advisory when closed as duplicates. See SECURITY.md.
next, publish advisory, credit reporters in advisory body (not commit message).Canonical: GHSA-vc6p-m6vx-6cwq — reporter knight-yagami (2026-03-04)
Untrusted command output or template variables interpolated into shellAfterCompleted and executed via sh -c.
| GHSA | Reporter | Status | Notes |
|---|---|---|---|
| GHSA-vc6p-m6vx-6cwq | knight-yagami | closed (canonical) | Original report |
| GHSA-v5gc-hqpq-227p | 0xkakash1 | closed (duplicate) | Output template variant |
| GHSA-m7wr-wj5j-7459 | Ryu7zz | duplicate | Webhook exec → output → shellAfterCompleted |
| GHSA-cjxm-x848-6vmc | Yesuhei | duplicate | Missing shell safety on after-completion |
| GHSA-j9p9-36jc-2v8w | anushkavirgaonkar | duplicate | Same root cause |
Fix: shell-quote output/exitCode before template render; block shellAfterCompleted for webhook-tagged actions.
CVSS note: requires admin-configured shellAfterCompleted and attacker influence on output — typically PR:H not PR:N.
Canonical: GHSA-xpxj-f2fm-rqch — reporter knight-yagami (2026-03-04)
Unauthenticated /oauth/login grows registeredStates without TTL or cap.
| GHSA | Reporter | Status | Notes |
|---|---|---|---|
| GHSA-xpxj-f2fm-rqch | knight-yagami | closed (canonical) | Original report |
| GHSA-cj96-c55v-2f3c | Dredsen | duplicate | Same unbounded map |
Fix: TTL sweep (match 15-minute cookie MaxAge), max map size, cleanup on failed callback.
CVSS note: unauthenticated DoS — reported 7.5 is appropriate.
Canonical: GHSA-45pc-w4ph-hrq4 — reporter fg0x0 (2026-03-09)
url type accepts file://, gopher://, etc. Blocked in shell: mode but still validated weakly for exec: actions.
| GHSA | Reporter | Status | Notes |
|---|---|---|---|
| GHSA-45pc-w4ph-hrq4 | fg0x0 | closed (canonical) | Original report |
| GHSA-cchg-25m4-q6rj | anushkavirgaonkar | duplicate | Same scheme validation gap |
Fix: allowlist http/https in typeSafetyCheckUrl.
CVSS note: admin must configure exec: action passing URL to external tool — PR:H.
regex: argument type in shell actionsCanonical: GHSA-xc5w-4v5w-7x65 — reporter Ayantaker (2026-05-06)
regex: types not in shell denylist; partial MatchString allows injection suffixes.
| GHSA | Reporter | Status | Notes |
|---|---|---|---|
| GHSA-xc5w-4v5w-7x65 | Ayantaker | canonical | Missing denylist entry |
| GHSA-gvxq-7gvp-4ggr | anushkavirgaonkar | duplicate | Unanchored partial match |
Fix: deny regex: in shell mode; enforce full-string match for custom regex types.
Canonical: GHSA-c26w-h42g-jfp9 — reporter sec-reex (2026-07-03)
CVE-2026-27626 added password to denylist only; html, confirmation, and choiceless checkbox still skip validation and are allowed in shell: actions.
Fix: extend checkShellArgumentSafety denylist.
Canonical: GHSA-jm28-2wcr-qf3h — reporter offset (2026-03-12)
StartActionAndWait / StartActionByGetAndWait return full log output without logs ACL check.
No known duplicates.
Fix: apply isLogEntryAllowed before returning LogEntry.
CVSS note: requires authenticated user with exec but not logs — typically 4.3–5.3 not 6.5.
| Topic | Advisories | Distinction |
|---|---|---|
| OAuth2 state DoS vs OAuth2 auth bypass | GHSA-xpxj vs GHSA-3v7p | DoS fills state map; bypass spoofs authHttpHeaderUsername |
shellAfterCompleted vs direct shell injection |
GHSA-vc6p vs GHSA-49gm | Second-order via output vs first-order argument injection |
ValidateArgumentType enumeration |
GHSA-f637 vs GHSA-x6q3 | Same issue; GHSA-f637 published |