GHSA-49GM-HH7W-WFVF OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Summary OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via...