cbcvebase.
CVE-2026-30224
published 2026-03-06

CVE-2026-30224: OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user…

PriorityP336medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.30%
21.8th percentile
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comolivetin_olivetin>= 0 < 0.0.0-20260304233115-d6a0abc3755d150.0.0-20260304233115-d6a0abc3755d15
olivetinolivetin< 3000.11.13000.11.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.