Search
Find a vulnerability
Search criteria
6 vulnerabilities by louisho5
CVE-2026-15669 (GCVE-0-2026-15669)
Vulnerability from nvd – Published: 2026-07-14 05:15 – Updated: 2026-07-14 12:40
VLAI
EPSS
VEX
Title
louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection
Summary
A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378163 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378163/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15669 | third-party-advisory |
| https://vuldb.com/submit/855869 | third-party-advisory |
| https://vuldb.com/submit/855870 | third-party-advisory |
| https://github.com/louisho5/picobot/issues/42 | issue-tracking |
| https://github.com/louisho5/picobot/issues/43 | exploitissue-tracking |
| https://github.com/louisho5/picobot/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T12:40:34.602841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:40:52.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:louisho5:picobot:*:*:*:*:*:*:*:*"
],
"modules": [
"exec Tool"
],
"product": "picobot",
"vendor": "louisho5",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-h (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T05:15:08.751Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378163 | louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378163"
},
{
"name": "VDB-378163 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378163/cti"
},
{
"name": "CVE-2026-15669 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15669"
},
{
"name": "Submit #855869 | louisho5 picobot 0.2.0 OS Command Injection (CWE-78)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855869"
},
{
"name": "Submit #855870 | louisho5 picobot 0.2.0 Incomplete List of Disallowed Inputs (CWE-184) (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855870"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/42"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/43"
},
{
"tags": [
"product"
],
"url": "https://github.com/louisho5/picobot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-13T23:17:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15669",
"datePublished": "2026-07-14T05:15:08.751Z",
"dateReserved": "2026-07-13T21:12:09.590Z",
"dateUpdated": "2026-07-14T12:40:52.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15668 (GCVE-0-2026-15668)
Vulnerability from nvd – Published: 2026-07-14 04:00 – Updated: 2026-07-15 14:47
VLAI
EPSS
VEX
Title
louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery
Summary
A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378162 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378162/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15668 | third-party-advisory |
| https://vuldb.com/submit/855866 | third-party-advisory |
| https://github.com/louisho5/picobot/issues/41 | exploitissue-tracking |
| https://github.com/louisho5/picobot/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15668",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:47:38.852891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:47:51.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/855866"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:louisho5:picobot:*:*:*:*:*:*:*:*"
],
"modules": [
"web Tool"
],
"product": "picobot",
"vendor": "louisho5",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-h (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T04:00:11.940Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378162 | louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378162"
},
{
"name": "VDB-378162 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378162/cti"
},
{
"name": "CVE-2026-15668 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15668"
},
{
"name": "Submit #855866 | louisho5 picobot 0.2.0 Server-Side Request Forgery (SSRF) (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855866"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/41"
},
{
"tags": [
"product"
],
"url": "https://github.com/louisho5/picobot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-13T23:17:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15668",
"datePublished": "2026-07-14T04:00:11.940Z",
"dateReserved": "2026-07-13T21:12:07.140Z",
"dateUpdated": "2026-07-15T14:47:51.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15629 (GCVE-0-2026-15629)
Vulnerability from nvd – Published: 2026-07-14 03:30 – Updated: 2026-07-14 12:30
VLAI
EPSS
VEX
Title
louisho5 picobot Workspace filesystem.go GetSkill link following
Summary
A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Link Following
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378131 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378131/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15629 | third-party-advisory |
| https://vuldb.com/submit/855854 | third-party-advisory |
| https://github.com/louisho5/picobot/issues/40 | exploitissue-tracking |
| https://github.com/louisho5/picobot/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15629",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T12:30:14.532173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:30:25.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:louisho5:picobot:*:*:*:*:*:*:*:*"
],
"modules": [
"Workspace Handler"
],
"product": "picobot",
"vendor": "louisho5",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-e (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "Link Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T03:30:09.462Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378131 | louisho5 picobot Workspace filesystem.go GetSkill link following",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378131"
},
{
"name": "VDB-378131 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378131/cti"
},
{
"name": "CVE-2026-15629 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15629"
},
{
"name": "Submit #855854 | louisho5 picobot 0.2.0 Improper Link Resolution Before File Access (CWE-59)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855854"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/40"
},
{
"tags": [
"product"
],
"url": "https://github.com/louisho5/picobot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-13T19:35:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "louisho5 picobot Workspace filesystem.go GetSkill link following"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15629",
"datePublished": "2026-07-14T03:30:09.462Z",
"dateReserved": "2026-07-13T17:29:56.866Z",
"dateUpdated": "2026-07-14T12:30:25.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15669 (GCVE-0-2026-15669)
Vulnerability from cvelistv5 – Published: 2026-07-14 05:15 – Updated: 2026-07-14 12:40
VLAI
EPSS
VEX
Title
louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection
Summary
A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378163 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378163/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15669 | third-party-advisory |
| https://vuldb.com/submit/855869 | third-party-advisory |
| https://vuldb.com/submit/855870 | third-party-advisory |
| https://github.com/louisho5/picobot/issues/42 | issue-tracking |
| https://github.com/louisho5/picobot/issues/43 | exploitissue-tracking |
| https://github.com/louisho5/picobot/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T12:40:34.602841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:40:52.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:louisho5:picobot:*:*:*:*:*:*:*:*"
],
"modules": [
"exec Tool"
],
"product": "picobot",
"vendor": "louisho5",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-h (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T05:15:08.751Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378163 | louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378163"
},
{
"name": "VDB-378163 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378163/cti"
},
{
"name": "CVE-2026-15669 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15669"
},
{
"name": "Submit #855869 | louisho5 picobot 0.2.0 OS Command Injection (CWE-78)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855869"
},
{
"name": "Submit #855870 | louisho5 picobot 0.2.0 Incomplete List of Disallowed Inputs (CWE-184) (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855870"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/42"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/43"
},
{
"tags": [
"product"
],
"url": "https://github.com/louisho5/picobot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-13T23:17:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15669",
"datePublished": "2026-07-14T05:15:08.751Z",
"dateReserved": "2026-07-13T21:12:09.590Z",
"dateUpdated": "2026-07-14T12:40:52.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15668 (GCVE-0-2026-15668)
Vulnerability from cvelistv5 – Published: 2026-07-14 04:00 – Updated: 2026-07-15 14:47
VLAI
EPSS
VEX
Title
louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery
Summary
A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378162 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378162/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15668 | third-party-advisory |
| https://vuldb.com/submit/855866 | third-party-advisory |
| https://github.com/louisho5/picobot/issues/41 | exploitissue-tracking |
| https://github.com/louisho5/picobot/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15668",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:47:38.852891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:47:51.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/855866"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:louisho5:picobot:*:*:*:*:*:*:*:*"
],
"modules": [
"web Tool"
],
"product": "picobot",
"vendor": "louisho5",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-h (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T04:00:11.940Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378162 | louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378162"
},
{
"name": "VDB-378162 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378162/cti"
},
{
"name": "CVE-2026-15668 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15668"
},
{
"name": "Submit #855866 | louisho5 picobot 0.2.0 Server-Side Request Forgery (SSRF) (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855866"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/41"
},
{
"tags": [
"product"
],
"url": "https://github.com/louisho5/picobot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-13T23:17:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15668",
"datePublished": "2026-07-14T04:00:11.940Z",
"dateReserved": "2026-07-13T21:12:07.140Z",
"dateUpdated": "2026-07-15T14:47:51.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15629 (GCVE-0-2026-15629)
Vulnerability from cvelistv5 – Published: 2026-07-14 03:30 – Updated: 2026-07-14 12:30
VLAI
EPSS
VEX
Title
louisho5 picobot Workspace filesystem.go GetSkill link following
Summary
A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Link Following
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378131 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378131/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15629 | third-party-advisory |
| https://vuldb.com/submit/855854 | third-party-advisory |
| https://github.com/louisho5/picobot/issues/40 | exploitissue-tracking |
| https://github.com/louisho5/picobot/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15629",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T12:30:14.532173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:30:25.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:louisho5:picobot:*:*:*:*:*:*:*:*"
],
"modules": [
"Workspace Handler"
],
"product": "picobot",
"vendor": "louisho5",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-e (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "Link Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T03:30:09.462Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378131 | louisho5 picobot Workspace filesystem.go GetSkill link following",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378131"
},
{
"name": "VDB-378131 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378131/cti"
},
{
"name": "CVE-2026-15629 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15629"
},
{
"name": "Submit #855854 | louisho5 picobot 0.2.0 Improper Link Resolution Before File Access (CWE-59)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/855854"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/louisho5/picobot/issues/40"
},
{
"tags": [
"product"
],
"url": "https://github.com/louisho5/picobot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-13T19:35:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "louisho5 picobot Workspace filesystem.go GetSkill link following"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15629",
"datePublished": "2026-07-14T03:30:09.462Z",
"dateReserved": "2026-07-13T17:29:56.866Z",
"dateUpdated": "2026-07-14T12:30:25.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}