CVE-2025-50946 is an OS Command Injection vulnerability identified in the Olivetin software, specifically in version 2025.4.22, within the Custom Themes feature. The vulnerability resides in the ParseRequestURI function located in the service/internal/executor/arguments.go source file. OS Command Injection vulnerabilities occur when an application improperly sanitizes user input that is subsequently passed to a system shell or command interpreter, allowing an attacker to execute arbitrary operating system commands with the privileges of the vulnerable application. In this case, the vulnerability is triggered through crafted input in the Custom Themes functionality, which likely processes user-supplied URIs or parameters. The lack of proper input validation or sanitization in the ParseRequestURI function enables attackers to inject malicious commands. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and published as of August 13, 2025. No CVSS score has been assigned yet, and no patches or mitigations have been officially released. The absence of a CVSS score and patch information suggests that this is a newly disclosed vulnerability requiring immediate attention from users of Olivetin 2025.4.22. The vulnerability's exploitation could allow attackers to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise, data theft, service disruption, or lateral movement within a network.

For European organizations using Olivetin 2025.4.22, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized command execution on critical servers, resulting in data breaches, service outages, or deployment of further malware. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk due to the sensitive nature of their data and the potential for operational disruption. The ability to execute OS commands could allow attackers to escalate privileges, exfiltrate confidential information, or disrupt services, impacting confidentiality, integrity, and availability. Given the lack of known exploits, the threat may currently be theoretical, but the public disclosure increases the risk of future exploitation. European organizations with internet-facing Olivetin deployments or those integrating Custom Themes functionality should consider this vulnerability a high priority for risk assessment and mitigation.

Immediate mitigation steps include conducting a thorough inventory to identify all instances of Olivetin 2025.4.22 in use, especially those exposing the Custom Themes feature. Until an official patch is released, organizations should implement strict input validation and sanitization controls at the application or web server level to block malicious payloads targeting the ParseRequestURI function. Employing Web Application Firewalls (WAFs) with custom rules to detect and block command injection patterns can reduce exposure. Restricting permissions of the Olivetin application process to the minimum necessary privileges can limit the impact of successful exploitation. Monitoring logs for unusual command execution attempts or anomalies in theme-related requests is critical for early detection. Organizations should engage with Olivetin vendors or security communities for updates and patches and prioritize timely deployment once available. Additionally, network segmentation and limiting access to Olivetin management interfaces can reduce attack surface.