CVE-2026-31817

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.2

Description OliveTin provides access to predefined shell commands through a web interface. When the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename for these logs is constructed using the UniqueTrackingId field from the StartAction API request. This value is not properly validated or sanitized, allowing an attacker to use directory traversal sequences, such as ../../../, to write files to arbitrary locations on the filesystem. The StartAction API endpoint accepts the UniqueTrackingId variable without validation.

Recommendations Update to version 3000.11.2 or later.