Search

Find a vulnerability

Search criteria

    12 vulnerabilities by Sipeed

    CVE-2026-15320 (GCVE-0-2026-15320)

    Vulnerability from nvd – Published: 2026-07-10 02:00 – Updated: 2026-07-10 02:00
    VLAI
    Title
    Sipeed PicoClaw pico.go rt.ReloadConfig authorization
    Summary
    A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377260 vdb-entrytechnical-description
    https://vuldb.com/vuln/377260/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15320 third-party-advisory
    https://vuldb.com/submit/852942 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3071 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.5,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T02:00:08.478Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377260 | Sipeed PicoClaw pico.go rt.ReloadConfig authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377260"
            },
            {
              "name": "VDB-377260 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377260/cti"
            },
            {
              "name": "CVE-2026-15320 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15320"
            },
            {
              "name": "Submit #852942 | Sipeed PicoClaw \u003c= 0.2.9 Missing Authorization (CWE-862)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852942"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3071"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:57.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw pico.go rt.ReloadConfig authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15320",
        "datePublished": "2026-07-10T02:00:08.478Z",
        "dateReserved": "2026-07-09T18:07:40.636Z",
        "dateUpdated": "2026-07-10T02:00:08.478Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15319 (GCVE-0-2026-15319)

    Vulnerability from nvd – Published: 2026-07-10 01:45 – Updated: 2026-07-10 01:45
    VLAI
    Title
    Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
    CWE
    • CWE-284 - Improper Access Controls
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377259 vdb-entrytechnical-description
    https://vuldb.com/vuln/377259/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15319 third-party-advisory
    https://vuldb.com/submit/852884 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3069 exploitissue-tracking
    https://github.com/sipeed/picoclaw/pull/3126 issue-trackingpatch
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Launcher"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:45:08.961Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377259"
            },
            {
              "name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377259/cti"
            },
            {
              "name": "CVE-2026-15319 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15319"
            },
            {
              "name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852884"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3069"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3126"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15319",
        "datePublished": "2026-07-10T01:45:08.961Z",
        "dateReserved": "2026-07-09T18:07:37.685Z",
        "dateUpdated": "2026-07-10T01:45:08.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15318 (GCVE-0-2026-15318)

    Vulnerability from nvd – Published: 2026-07-10 01:30 – Updated: 2026-07-10 01:30
    VLAI
    Title
    Sipeed PicoClaw MQTT Channel mqtt.go authorization
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377258 vdb-entrytechnical-description
    https://vuldb.com/vuln/377258/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15318 third-party-advisory
    https://vuldb.com/submit/852879 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3068 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "MQTT Channel Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:30:09.422Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377258 | Sipeed PicoClaw MQTT Channel mqtt.go authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377258"
            },
            {
              "name": "VDB-377258 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377258/cti"
            },
            {
              "name": "CVE-2026-15318 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15318"
            },
            {
              "name": "Submit #852879 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852879"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3068"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw MQTT Channel mqtt.go authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15318",
        "datePublished": "2026-07-10T01:30:09.422Z",
        "dateReserved": "2026-07-09T18:07:35.019Z",
        "dateUpdated": "2026-07-10T01:30:09.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15317 (GCVE-0-2026-15317)

    Vulnerability from nvd – Published: 2026-07-10 00:00 – Updated: 2026-07-10 00:00
    VLAI
    Title
    Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377257 vdb-entrytechnical-description
    https://vuldb.com/vuln/377257/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15317 third-party-advisory
    https://vuldb.com/submit/852877 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3078 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Guarded Web Fetch Flow"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T00:00:13.247Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377257 | Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377257"
            },
            {
              "name": "VDB-377257 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377257/cti"
            },
            {
              "name": "CVE-2026-15317 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15317"
            },
            {
              "name": "Submit #852877 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852877"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3078"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:45.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15317",
        "datePublished": "2026-07-10T00:00:13.247Z",
        "dateReserved": "2026-07-09T18:07:32.588Z",
        "dateUpdated": "2026-07-10T00:00:13.247Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6987 (GCVE-0-2026-6987)

    Vulnerability from nvd – Published: 2026-04-25 16:45 – Updated: 2026-04-27 13:34
    VLAI
    Title
    PicoClaw Web Launcher Management Plane restart command injection
    Summary
    A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Credits
    AiSec (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6987",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:20:23.522219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:34:16.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Web Launcher Management Plane"
              ],
              "product": "PicoClaw",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AiSec (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-25T16:45:09.726Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359530 | PicoClaw Web Launcher Management Plane restart command injection",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/359530"
            },
            {
              "name": "VDB-359530 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359530/cti"
            },
            {
              "name": "Submit #796336 | PicoClaw V0.2.4 Command execution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/796336"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/2307"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-24T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-24T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-24T21:21:36.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "PicoClaw Web Launcher Management Plane restart command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-6987",
        "datePublished": "2026-04-25T16:45:09.726Z",
        "dateReserved": "2026-04-24T19:16:31.247Z",
        "dateUpdated": "2026-04-27T13:34:16.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32296 (GCVE-0-2026-32296)

    Vulnerability from nvd – Published: 2026-03-17 17:19 – Updated: 2026-03-17 18:10
    VLAI
    Title
    Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint
    Summary
    Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and terminate the KVM process.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed NanoKVM Affected: 0 , < 2.3.1 (custom)
    Unaffected: 2.3.1
    Create a notification for this product.
    Date Public
    2026-03-17 00:00
    Credits
    Reynaldo Vasquez Garcia, Eclypsium
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-17T18:10:20.429406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-17T18:10:26.448Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "NanoKVM",
              "vendor": "Sipeed",
              "versions": [
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.3.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Reynaldo Vasquez Garcia, Eclypsium"
            }
          ],
          "datePublic": "2026-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker\u0027s choosing, or craft a request to exhaust the system memory and terminate the KVM process."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2026-32296",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "yes"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2026-03-16T19:28:53.598916Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-17T17:19:55.013Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/NanoKVM/blob/main/CHANGELOG.md#231-2025-12-26"
            },
            {
              "name": "url",
              "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"
            },
            {
              "name": "url",
              "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-32296"
            }
          ],
          "title": "Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2026-32296",
        "datePublished": "2026-03-17T17:19:55.013Z",
        "dateReserved": "2026-03-11T18:26:54.750Z",
        "dateUpdated": "2026-03-17T18:10:26.448Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15320 (GCVE-0-2026-15320)

    Vulnerability from cvelistv5 – Published: 2026-07-10 02:00 – Updated: 2026-07-10 02:00
    VLAI
    Title
    Sipeed PicoClaw pico.go rt.ReloadConfig authorization
    Summary
    A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377260 vdb-entrytechnical-description
    https://vuldb.com/vuln/377260/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15320 third-party-advisory
    https://vuldb.com/submit/852942 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3071 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.5,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T02:00:08.478Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377260 | Sipeed PicoClaw pico.go rt.ReloadConfig authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377260"
            },
            {
              "name": "VDB-377260 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377260/cti"
            },
            {
              "name": "CVE-2026-15320 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15320"
            },
            {
              "name": "Submit #852942 | Sipeed PicoClaw \u003c= 0.2.9 Missing Authorization (CWE-862)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852942"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3071"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:57.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw pico.go rt.ReloadConfig authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15320",
        "datePublished": "2026-07-10T02:00:08.478Z",
        "dateReserved": "2026-07-09T18:07:40.636Z",
        "dateUpdated": "2026-07-10T02:00:08.478Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15319 (GCVE-0-2026-15319)

    Vulnerability from cvelistv5 – Published: 2026-07-10 01:45 – Updated: 2026-07-10 01:45
    VLAI
    Title
    Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
    CWE
    • CWE-284 - Improper Access Controls
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377259 vdb-entrytechnical-description
    https://vuldb.com/vuln/377259/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15319 third-party-advisory
    https://vuldb.com/submit/852884 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3069 exploitissue-tracking
    https://github.com/sipeed/picoclaw/pull/3126 issue-trackingpatch
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Launcher"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:45:08.961Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377259"
            },
            {
              "name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377259/cti"
            },
            {
              "name": "CVE-2026-15319 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15319"
            },
            {
              "name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852884"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3069"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3126"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15319",
        "datePublished": "2026-07-10T01:45:08.961Z",
        "dateReserved": "2026-07-09T18:07:37.685Z",
        "dateUpdated": "2026-07-10T01:45:08.961Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15318 (GCVE-0-2026-15318)

    Vulnerability from cvelistv5 – Published: 2026-07-10 01:30 – Updated: 2026-07-10 01:30
    VLAI
    Title
    Sipeed PicoClaw MQTT Channel mqtt.go authorization
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377258 vdb-entrytechnical-description
    https://vuldb.com/vuln/377258/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15318 third-party-advisory
    https://vuldb.com/submit/852879 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3068 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "MQTT Channel Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:30:09.422Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377258 | Sipeed PicoClaw MQTT Channel mqtt.go authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377258"
            },
            {
              "name": "VDB-377258 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377258/cti"
            },
            {
              "name": "CVE-2026-15318 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15318"
            },
            {
              "name": "Submit #852879 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852879"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3068"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw MQTT Channel mqtt.go authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15318",
        "datePublished": "2026-07-10T01:30:09.422Z",
        "dateReserved": "2026-07-09T18:07:35.019Z",
        "dateUpdated": "2026-07-10T01:30:09.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15317 (GCVE-0-2026-15317)

    Vulnerability from cvelistv5 – Published: 2026-07-10 00:00 – Updated: 2026-07-10 00:00
    VLAI
    Title
    Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377257 vdb-entrytechnical-description
    https://vuldb.com/vuln/377257/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15317 third-party-advisory
    https://vuldb.com/submit/852877 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3078 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Guarded Web Fetch Flow"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T00:00:13.247Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377257 | Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377257"
            },
            {
              "name": "VDB-377257 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377257/cti"
            },
            {
              "name": "CVE-2026-15317 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15317"
            },
            {
              "name": "Submit #852877 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852877"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3078"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:45.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15317",
        "datePublished": "2026-07-10T00:00:13.247Z",
        "dateReserved": "2026-07-09T18:07:32.588Z",
        "dateUpdated": "2026-07-10T00:00:13.247Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6987 (GCVE-0-2026-6987)

    Vulnerability from cvelistv5 – Published: 2026-04-25 16:45 – Updated: 2026-04-27 13:34
    VLAI
    Title
    PicoClaw Web Launcher Management Plane restart command injection
    Summary
    A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Credits
    AiSec (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6987",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:20:23.522219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:34:16.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Web Launcher Management Plane"
              ],
              "product": "PicoClaw",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AiSec (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-25T16:45:09.726Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359530 | PicoClaw Web Launcher Management Plane restart command injection",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/359530"
            },
            {
              "name": "VDB-359530 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359530/cti"
            },
            {
              "name": "Submit #796336 | PicoClaw V0.2.4 Command execution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/796336"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/2307"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-24T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-24T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-24T21:21:36.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "PicoClaw Web Launcher Management Plane restart command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-6987",
        "datePublished": "2026-04-25T16:45:09.726Z",
        "dateReserved": "2026-04-24T19:16:31.247Z",
        "dateUpdated": "2026-04-27T13:34:16.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32296 (GCVE-0-2026-32296)

    Vulnerability from cvelistv5 – Published: 2026-03-17 17:19 – Updated: 2026-03-17 18:10
    VLAI
    Title
    Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint
    Summary
    Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and terminate the KVM process.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed NanoKVM Affected: 0 , < 2.3.1 (custom)
    Unaffected: 2.3.1
    Create a notification for this product.
    Date Public
    2026-03-17 00:00
    Credits
    Reynaldo Vasquez Garcia, Eclypsium
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-17T18:10:20.429406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-17T18:10:26.448Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "NanoKVM",
              "vendor": "Sipeed",
              "versions": [
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.3.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Reynaldo Vasquez Garcia, Eclypsium"
            }
          ],
          "datePublic": "2026-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker\u0027s choosing, or craft a request to exhaust the system memory and terminate the KVM process."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2026-32296",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "yes"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2026-03-16T19:28:53.598916Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-17T17:19:55.013Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/NanoKVM/blob/main/CHANGELOG.md#231-2025-12-26"
            },
            {
              "name": "url",
              "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"
            },
            {
              "name": "url",
              "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-32296"
            }
          ],
          "title": "Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2026-32296",
        "datePublished": "2026-03-17T17:19:55.013Z",
        "dateReserved": "2026-03-11T18:26:54.750Z",
        "dateUpdated": "2026-03-17T18:10:26.448Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }