Search
Find a vulnerability
Search criteria
10 vulnerabilities found for PicoClaw by Sipeed
CVE-2026-15320 (GCVE-0-2026-15320)
Vulnerability from nvd – Published: 2026-07-10 02:00 – Updated: 2026-07-10 02:00
VLAI
EPSS
VEX
Title
Sipeed PicoClaw pico.go rt.ReloadConfig authorization
Summary
A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377260 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377260/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15320 | third-party-advisory |
| https://vuldb.com/submit/852942 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3071 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-i (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T02:00:08.478Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377260 | Sipeed PicoClaw pico.go rt.ReloadConfig authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377260"
},
{
"name": "VDB-377260 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377260/cti"
},
{
"name": "CVE-2026-15320 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15320"
},
{
"name": "Submit #852942 | Sipeed PicoClaw \u003c= 0.2.9 Missing Authorization (CWE-862)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852942"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3071"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw pico.go rt.ReloadConfig authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15320",
"datePublished": "2026-07-10T02:00:08.478Z",
"dateReserved": "2026-07-09T18:07:40.636Z",
"dateUpdated": "2026-07-10T02:00:08.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15319 (GCVE-0-2026-15319)
Vulnerability from nvd – Published: 2026-07-10 01:45 – Updated: 2026-07-10 01:45
VLAI
EPSS
VEX
Title
Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
Summary
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
Severity
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377259 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377259/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15319 | third-party-advisory |
| https://vuldb.com/submit/852884 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3069 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/pull/3126 | issue-trackingpatch |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"Launcher"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T01:45:08.961Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377259"
},
{
"name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377259/cti"
},
{
"name": "CVE-2026-15319 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15319"
},
{
"name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852884"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3069"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/sipeed/picoclaw/pull/3126"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15319",
"datePublished": "2026-07-10T01:45:08.961Z",
"dateReserved": "2026-07-09T18:07:37.685Z",
"dateUpdated": "2026-07-10T01:45:08.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15318 (GCVE-0-2026-15318)
Vulnerability from nvd – Published: 2026-07-10 01:30 – Updated: 2026-07-10 01:30
VLAI
EPSS
VEX
Title
Sipeed PicoClaw MQTT Channel mqtt.go authorization
Summary
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377258 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377258/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15318 | third-party-advisory |
| https://vuldb.com/submit/852879 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3068 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"MQTT Channel Handler"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T01:30:09.422Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377258 | Sipeed PicoClaw MQTT Channel mqtt.go authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377258"
},
{
"name": "VDB-377258 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377258/cti"
},
{
"name": "CVE-2026-15318 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15318"
},
{
"name": "Submit #852879 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852879"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3068"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw MQTT Channel mqtt.go authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15318",
"datePublished": "2026-07-10T01:30:09.422Z",
"dateReserved": "2026-07-09T18:07:35.019Z",
"dateUpdated": "2026-07-10T01:30:09.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15317 (GCVE-0-2026-15317)
Vulnerability from nvd – Published: 2026-07-10 00:00 – Updated: 2026-07-10 00:00
VLAI
EPSS
VEX
Title
Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery
Summary
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
Severity
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377257 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377257/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15317 | third-party-advisory |
| https://vuldb.com/submit/852877 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3078 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"Guarded Web Fetch Flow"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T00:00:13.247Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377257 | Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377257"
},
{
"name": "VDB-377257 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377257/cti"
},
{
"name": "CVE-2026-15317 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15317"
},
{
"name": "Submit #852877 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852877"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3078"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15317",
"datePublished": "2026-07-10T00:00:13.247Z",
"dateReserved": "2026-07-09T18:07:32.588Z",
"dateUpdated": "2026-07-10T00:00:13.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6987 (GCVE-0-2026-6987)
Vulnerability from nvd – Published: 2026-04-25 16:45 – Updated: 2026-04-27 13:34
VLAI
EPSS
VEX
Title
PicoClaw Web Launcher Management Plane restart command injection
Summary
A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359530 | vdb-entry |
| https://vuldb.com/vuln/359530/cti | signaturepermissions-required |
| https://vuldb.com/submit/796336 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/2307 | issue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:20:23.522219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:34:16.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Launcher Management Plane"
],
"product": "PicoClaw",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AiSec (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T16:45:09.726Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359530 | PicoClaw Web Launcher Management Plane restart command injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/359530"
},
{
"name": "VDB-359530 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359530/cti"
},
{
"name": "Submit #796336 | PicoClaw V0.2.4 Command execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/796336"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/2307"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-24T21:21:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "PicoClaw Web Launcher Management Plane restart command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6987",
"datePublished": "2026-04-25T16:45:09.726Z",
"dateReserved": "2026-04-24T19:16:31.247Z",
"dateUpdated": "2026-04-27T13:34:16.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15320 (GCVE-0-2026-15320)
Vulnerability from cvelistv5 – Published: 2026-07-10 02:00 – Updated: 2026-07-10 02:00
VLAI
EPSS
VEX
Title
Sipeed PicoClaw pico.go rt.ReloadConfig authorization
Summary
A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377260 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377260/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15320 | third-party-advisory |
| https://vuldb.com/submit/852942 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3071 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-i (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T02:00:08.478Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377260 | Sipeed PicoClaw pico.go rt.ReloadConfig authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377260"
},
{
"name": "VDB-377260 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377260/cti"
},
{
"name": "CVE-2026-15320 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15320"
},
{
"name": "Submit #852942 | Sipeed PicoClaw \u003c= 0.2.9 Missing Authorization (CWE-862)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852942"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3071"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw pico.go rt.ReloadConfig authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15320",
"datePublished": "2026-07-10T02:00:08.478Z",
"dateReserved": "2026-07-09T18:07:40.636Z",
"dateUpdated": "2026-07-10T02:00:08.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15319 (GCVE-0-2026-15319)
Vulnerability from cvelistv5 – Published: 2026-07-10 01:45 – Updated: 2026-07-10 01:45
VLAI
EPSS
VEX
Title
Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
Summary
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
Severity
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377259 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377259/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15319 | third-party-advisory |
| https://vuldb.com/submit/852884 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3069 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/pull/3126 | issue-trackingpatch |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"Launcher"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T01:45:08.961Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377259"
},
{
"name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377259/cti"
},
{
"name": "CVE-2026-15319 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15319"
},
{
"name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852884"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3069"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/sipeed/picoclaw/pull/3126"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15319",
"datePublished": "2026-07-10T01:45:08.961Z",
"dateReserved": "2026-07-09T18:07:37.685Z",
"dateUpdated": "2026-07-10T01:45:08.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15318 (GCVE-0-2026-15318)
Vulnerability from cvelistv5 – Published: 2026-07-10 01:30 – Updated: 2026-07-10 01:30
VLAI
EPSS
VEX
Title
Sipeed PicoClaw MQTT Channel mqtt.go authorization
Summary
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377258 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377258/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15318 | third-party-advisory |
| https://vuldb.com/submit/852879 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3068 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"MQTT Channel Handler"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T01:30:09.422Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377258 | Sipeed PicoClaw MQTT Channel mqtt.go authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377258"
},
{
"name": "VDB-377258 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377258/cti"
},
{
"name": "CVE-2026-15318 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15318"
},
{
"name": "Submit #852879 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852879"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3068"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw MQTT Channel mqtt.go authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15318",
"datePublished": "2026-07-10T01:30:09.422Z",
"dateReserved": "2026-07-09T18:07:35.019Z",
"dateUpdated": "2026-07-10T01:30:09.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15317 (GCVE-0-2026-15317)
Vulnerability from cvelistv5 – Published: 2026-07-10 00:00 – Updated: 2026-07-10 00:00
VLAI
EPSS
VEX
Title
Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery
Summary
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
Severity
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377257 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377257/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15317 | third-party-advisory |
| https://vuldb.com/submit/852877 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3078 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/ | product |
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"Guarded Web Fetch Flow"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T00:00:13.247Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377257 | Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377257"
},
{
"name": "VDB-377257 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377257/cti"
},
{
"name": "CVE-2026-15317 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15317"
},
{
"name": "Submit #852877 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852877"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3078"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T20:12:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15317",
"datePublished": "2026-07-10T00:00:13.247Z",
"dateReserved": "2026-07-09T18:07:32.588Z",
"dateUpdated": "2026-07-10T00:00:13.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6987 (GCVE-0-2026-6987)
Vulnerability from cvelistv5 – Published: 2026-04-25 16:45 – Updated: 2026-04-27 13:34
VLAI
EPSS
VEX
Title
PicoClaw Web Launcher Management Plane restart command injection
Summary
A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359530 | vdb-entry |
| https://vuldb.com/vuln/359530/cti | signaturepermissions-required |
| https://vuldb.com/submit/796336 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/2307 | issue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:20:23.522219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:34:16.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Launcher Management Plane"
],
"product": "PicoClaw",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AiSec (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T16:45:09.726Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359530 | PicoClaw Web Launcher Management Plane restart command injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/359530"
},
{
"name": "VDB-359530 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359530/cti"
},
{
"name": "Submit #796336 | PicoClaw V0.2.4 Command execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/796336"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/2307"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-24T21:21:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "PicoClaw Web Launcher Management Plane restart command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6987",
"datePublished": "2026-04-25T16:45:09.726Z",
"dateReserved": "2026-04-24T19:16:31.247Z",
"dateUpdated": "2026-04-27T13:34:16.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}