Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    30 vulnerabilities by Sipeed

    CVE-2026-16198 (GCVE-0-2026-16198)

    Vulnerability from nvd – Published: 2026-07-18 23:30 – Updated: 2026-07-18 23:30 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw First Run Setup access_control.go authentication bypass
    Summary
    A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/access_control.go of the component First Run Setup. Performing a manipulation of the argument allowed_cidrs results in authentication bypass using alternate channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit is now public and may be used. The patch is named 017601354be38cb027ff3ffb01aed79bd5d12610. Applying a patch is the recommended action to fix this issue.
    CWE
    • CWE-288 - Authentication Bypass Using Alternate Channel
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "First Run Setup"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/access_control.go of the component First Run Setup. Performing a manipulation of the argument allowed_cidrs results in authentication bypass using alternate channel. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is regarded as difficult. The exploit is now public and may be used. The patch is named 017601354be38cb027ff3ffb01aed79bd5d12610. Applying a patch is the recommended action to fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.1,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "Authentication Bypass Using Alternate Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T23:30:18.741Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380014 | Sipeed PicoClaw First Run Setup access_control.go authentication bypass",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380014"
            },
            {
              "name": "VDB-380014 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380014/cti"
            },
            {
              "name": "CVE-2026-16198 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16198"
            },
            {
              "name": "Submit #852965 | Sipeed PicoClaw \u003c= v0.2.9 Authentication Bypass Using an Alternate Path or Channel (CWE-288)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852965"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3080"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3083"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/017601354be38cb027ff3ffb01aed79bd5d12610"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:28:00.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw First Run Setup access_control.go authentication bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16198",
        "datePublished": "2026-07-18T23:30:18.741Z",
        "dateReserved": "2026-07-18T07:22:40.821Z",
        "dateUpdated": "2026-07-18T23:30:18.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16197 (GCVE-0-2026-16197)

    Vulnerability from nvd – Published: 2026-07-18 23:00 – Updated: 2026-07-18 23:00
    VLAI
    Title
    Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu_64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/380013 vdb-entrytechnical-description
    https://vuldb.com/vuln/380013/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16197 third-party-advisory
    https://vuldb.com/submit/852964 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3082 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Group Message Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu_64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T23:00:12.202Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380013 | Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380013"
            },
            {
              "name": "VDB-380013 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380013/cti"
            },
            {
              "name": "CVE-2026-16197 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16197"
            },
            {
              "name": "Submit #852964 | Sipeed PicoClaw \u003c= v0.2.9 Missing Authorization (CWE-862)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852964"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3082"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:27:55.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16197",
        "datePublished": "2026-07-18T23:00:12.202Z",
        "dateReserved": "2026-07-18T07:22:36.968Z",
        "dateUpdated": "2026-07-18T23:00:12.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16196 (GCVE-0-2026-16196)

    Vulnerability from nvd – Published: 2026-07-18 22:45 – Updated: 2026-07-18 22:45 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. To fix this issue, it is recommended to deploy a patch.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "web_fetch"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. To fix this issue, it is recommended to deploy a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T22:45:13.066Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380012 | Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380012"
            },
            {
              "name": "VDB-380012 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380012/cti"
            },
            {
              "name": "CVE-2026-16196 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16196"
            },
            {
              "name": "Submit #852963 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852963"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3077"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3085"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:27:51.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16196",
        "datePublished": "2026-07-18T22:45:13.066Z",
        "dateReserved": "2026-07-18T07:22:33.012Z",
        "dateUpdated": "2026-07-18T22:45:13.066Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16195 (GCVE-0-2026-16195)

    Vulnerability from nvd – Published: 2026-07-18 22:30 – Updated: 2026-07-18 22:30
    VLAI
    Title
    Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/380011 vdb-entrytechnical-description
    https://vuldb.com/vuln/380011/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16195 third-party-advisory
    https://vuldb.com/submit/852962 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3076 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Group Message Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T22:30:10.281Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380011 | Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380011"
            },
            {
              "name": "VDB-380011 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380011/cti"
            },
            {
              "name": "CVE-2026-16195 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16195"
            },
            {
              "name": "Submit #852962 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852962"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3076"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:27:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16195",
        "datePublished": "2026-07-18T22:30:10.281Z",
        "dateReserved": "2026-07-18T07:22:29.086Z",
        "dateUpdated": "2026-07-18T22:30:10.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16085 (GCVE-0-2026-16085)

    Vulnerability from nvd – Published: 2026-07-18 09:15 – Updated: 2026-07-18 09:15
    VLAI
    Title
    Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically with the label "not planned" by a bot.
    CWE
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/379797 vdb-entrytechnical-description
    https://vuldb.com/vuln/379797/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16085 third-party-advisory
    https://vuldb.com/submit/852947 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3075 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T09:15:09.590Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379797 | Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379797"
            },
            {
              "name": "VDB-379797 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379797/cti"
            },
            {
              "name": "CVE-2026-16085 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16085"
            },
            {
              "name": "Submit #852947 | Sipeed PicoClaw \u003c= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852947"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3075"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:34.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16085",
        "datePublished": "2026-07-18T09:15:09.590Z",
        "dateReserved": "2026-07-17T13:50:10.945Z",
        "dateUpdated": "2026-07-18T09:15:09.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16084 (GCVE-0-2026-16084)

    Vulnerability from nvd – Published: 2026-07-18 09:00 – Updated: 2026-07-18 09:00 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw web.go web_fetch server-side request forgery
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: c15aac21fe05ee103a470e1104bc891754e83392. To fix this issue, it is recommended to deploy a patch.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: c15aac21fe05ee103a470e1104bc891754e83392. To fix this issue, it is recommended to deploy a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T09:00:10.981Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379796 | Sipeed PicoClaw web.go web_fetch server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379796"
            },
            {
              "name": "VDB-379796 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379796/cti"
            },
            {
              "name": "CVE-2026-16084 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16084"
            },
            {
              "name": "Submit #852946 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852946"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3074"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3143"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/c15aac21fe05ee103a470e1104bc891754e83392"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:30.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw web.go web_fetch server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16084",
        "datePublished": "2026-07-18T09:00:10.981Z",
        "dateReserved": "2026-07-17T13:50:07.157Z",
        "dateUpdated": "2026-07-18T09:00:10.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16083 (GCVE-0-2026-16083)

    Vulnerability from nvd – Published: 2026-07-18 08:30 – Updated: 2026-07-18 08:30
    VLAI
    Title
    Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of the file pkg/channels/line/line.go of the component LINE Webhook. The manipulation results in authentication bypass by capture-replay. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically with the label "not planned" by a bot.
    CWE
    • CWE-294 - Authentication Bypass by Capture-replay
    • CWE-287 - Improper Authentication
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/379795 vdb-entrytechnical-description
    https://vuldb.com/vuln/379795/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16083 third-party-advisory
    https://vuldb.com/submit/852945 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3073 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "LINE Webhook"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of the file pkg/channels/line/line.go of the component LINE Webhook. The manipulation results in authentication bypass by capture-replay. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-294",
                  "description": "Authentication Bypass by Capture-replay",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T08:30:09.134Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379795 | Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379795"
            },
            {
              "name": "VDB-379795 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379795/cti"
            },
            {
              "name": "CVE-2026-16083 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16083"
            },
            {
              "name": "Submit #852945 | Sipeed PicoClaw \u003c= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852945"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3073"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:26.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16083",
        "datePublished": "2026-07-18T08:30:09.134Z",
        "dateReserved": "2026-07-17T13:50:03.053Z",
        "dateUpdated": "2026-07-18T08:30:09.134Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16082 (GCVE-0-2026-16082)

    Vulnerability from nvd – Published: 2026-07-18 08:15 – Updated: 2026-07-18 08:15
    VLAI
    Title
    Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou
    Summary
    A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically with the label "not planned" by a bot.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/379794 vdb-entrytechnical-description
    https://vuldb.com/vuln/379794/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16082 third-party-advisory
    https://vuldb.com/submit/852944 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3081 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "Time-of-check Time-of-use",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T08:15:07.934Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379794 | Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379794"
            },
            {
              "name": "VDB-379794 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379794/cti"
            },
            {
              "name": "CVE-2026-16082 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16082"
            },
            {
              "name": "Submit #852944 | Sipeed PicoClaw \u003c= 0.2.9 Time-of-check Time-of-use Race Condition (CWE-367)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852944"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3081"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:22.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16082",
        "datePublished": "2026-07-18T08:15:07.934Z",
        "dateReserved": "2026-07-17T13:49:58.787Z",
        "dateUpdated": "2026-07-18T08:15:07.934Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16081 (GCVE-0-2026-16081)

    Vulnerability from nvd – Published: 2026-07-18 07:45 – Updated: 2026-07-18 07:45 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw auth.go cross-site request forgery
    Summary
    A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 4b0229351678f479429b8d8b19207757266f246b. Applying a patch is advised to resolve this issue.
    CWE
    • CWE-352 - Cross-Site Request Forgery
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 4b0229351678f479429b8d8b19207757266f246b. Applying a patch is advised to resolve this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T07:45:09.658Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379793 | Sipeed PicoClaw auth.go cross-site request forgery",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/379793"
            },
            {
              "name": "VDB-379793 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379793/cti"
            },
            {
              "name": "CVE-2026-16081 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16081"
            },
            {
              "name": "Submit #852943 | Sipeed PicoClaw \u003c= 0.2.9 Cross-Site Request Forgery (CWE-352)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852943"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3072"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3160"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/4b0229351678f479429b8d8b19207757266f246b"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:17.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw auth.go cross-site request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16081",
        "datePublished": "2026-07-18T07:45:09.658Z",
        "dateReserved": "2026-07-17T13:49:54.669Z",
        "dateUpdated": "2026-07-18T07:45:09.658Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15320 (GCVE-0-2026-15320)

    Vulnerability from nvd – Published: 2026-07-10 02:00 – Updated: 2026-07-10 15:26
    VLAI
    Title
    Sipeed PicoClaw pico.go rt.ReloadConfig authorization
    Summary
    A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377260 vdb-entrytechnical-description
    https://vuldb.com/vuln/377260/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15320 third-party-advisory
    https://vuldb.com/submit/852942 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3071 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15320",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T15:26:21.767167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T15:26:27.879Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.5,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T02:00:08.478Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377260 | Sipeed PicoClaw pico.go rt.ReloadConfig authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377260"
            },
            {
              "name": "VDB-377260 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377260/cti"
            },
            {
              "name": "CVE-2026-15320 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15320"
            },
            {
              "name": "Submit #852942 | Sipeed PicoClaw \u003c= 0.2.9 Missing Authorization (CWE-862)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852942"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3071"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:57.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw pico.go rt.ReloadConfig authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15320",
        "datePublished": "2026-07-10T02:00:08.478Z",
        "dateReserved": "2026-07-09T18:07:40.636Z",
        "dateUpdated": "2026-07-10T15:26:27.879Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15319 (GCVE-0-2026-15319)

    Vulnerability from nvd – Published: 2026-07-10 01:45 – Updated: 2026-07-10 14:24
    VLAI
    Title
    Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Controls
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377259 vdb-entrytechnical-description
    https://vuldb.com/vuln/377259/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15319 third-party-advisory
    https://vuldb.com/submit/852884 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3069 exploitissue-tracking
    https://github.com/sipeed/picoclaw/pull/3126 issue-trackingpatch
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15319",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:24:08.322070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:24:20.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Launcher"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:45:08.961Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377259"
            },
            {
              "name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377259/cti"
            },
            {
              "name": "CVE-2026-15319 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15319"
            },
            {
              "name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852884"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3069"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3126"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15319",
        "datePublished": "2026-07-10T01:45:08.961Z",
        "dateReserved": "2026-07-09T18:07:37.685Z",
        "dateUpdated": "2026-07-10T14:24:20.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15318 (GCVE-0-2026-15318)

    Vulnerability from nvd – Published: 2026-07-10 01:30 – Updated: 2026-07-10 20:31
    VLAI
    Title
    Sipeed PicoClaw MQTT Channel mqtt.go authorization
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377258 vdb-entrytechnical-description
    https://vuldb.com/vuln/377258/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15318 third-party-advisory
    https://vuldb.com/submit/852879 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3068 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15318",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:25:51.936838Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:31:39.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "MQTT Channel Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:30:09.422Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377258 | Sipeed PicoClaw MQTT Channel mqtt.go authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377258"
            },
            {
              "name": "VDB-377258 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377258/cti"
            },
            {
              "name": "CVE-2026-15318 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15318"
            },
            {
              "name": "Submit #852879 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852879"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3068"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw MQTT Channel mqtt.go authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15318",
        "datePublished": "2026-07-10T01:30:09.422Z",
        "dateReserved": "2026-07-09T18:07:35.019Z",
        "dateUpdated": "2026-07-10T20:31:39.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15317 (GCVE-0-2026-15317)

    Vulnerability from nvd – Published: 2026-07-10 00:00 – Updated: 2026-07-14 01:26
    VLAI
    Title
    Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377257 vdb-entrytechnical-description
    https://vuldb.com/vuln/377257/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15317 third-party-advisory
    https://vuldb.com/submit/852877 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3078 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15317",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T01:26:17.804998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T01:26:30.531Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Guarded Web Fetch Flow"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T00:00:13.247Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377257 | Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377257"
            },
            {
              "name": "VDB-377257 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377257/cti"
            },
            {
              "name": "CVE-2026-15317 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15317"
            },
            {
              "name": "Submit #852877 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852877"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3078"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:45.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15317",
        "datePublished": "2026-07-10T00:00:13.247Z",
        "dateReserved": "2026-07-09T18:07:32.588Z",
        "dateUpdated": "2026-07-14T01:26:30.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6987 (GCVE-0-2026-6987)

    Vulnerability from nvd – Published: 2026-04-25 16:45 – Updated: 2026-04-27 13:34
    VLAI
    Title
    PicoClaw Web Launcher Management Plane restart command injection
    Summary
    A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Credits
    AiSec (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6987",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:20:23.522219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:34:16.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Web Launcher Management Plane"
              ],
              "product": "PicoClaw",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AiSec (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-25T16:45:09.726Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359530 | PicoClaw Web Launcher Management Plane restart command injection",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/359530"
            },
            {
              "name": "VDB-359530 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359530/cti"
            },
            {
              "name": "Submit #796336 | PicoClaw V0.2.4 Command execution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/796336"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/2307"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-24T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-24T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-24T21:21:36.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "PicoClaw Web Launcher Management Plane restart command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-6987",
        "datePublished": "2026-04-25T16:45:09.726Z",
        "dateReserved": "2026-04-24T19:16:31.247Z",
        "dateUpdated": "2026-04-27T13:34:16.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32296 (GCVE-0-2026-32296)

    Vulnerability from nvd – Published: 2026-03-17 17:19 – Updated: 2026-03-17 18:10
    VLAI
    Title
    Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint
    Summary
    Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and terminate the KVM process.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed NanoKVM Affected: 0 , < 2.3.1 (custom)
    Unaffected: 2.3.1
    Create a notification for this product.
    Date Public
    2026-03-17 00:00
    Credits
    Reynaldo Vasquez Garcia, Eclypsium
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-17T18:10:20.429406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-17T18:10:26.448Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "NanoKVM",
              "vendor": "Sipeed",
              "versions": [
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.3.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Reynaldo Vasquez Garcia, Eclypsium"
            }
          ],
          "datePublic": "2026-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker\u0027s choosing, or craft a request to exhaust the system memory and terminate the KVM process."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2026-32296",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "yes"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2026-03-16T19:28:53.598916Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-17T17:19:55.013Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/NanoKVM/blob/main/CHANGELOG.md#231-2025-12-26"
            },
            {
              "name": "url",
              "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"
            },
            {
              "name": "url",
              "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-32296"
            }
          ],
          "title": "Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2026-32296",
        "datePublished": "2026-03-17T17:19:55.013Z",
        "dateReserved": "2026-03-11T18:26:54.750Z",
        "dateUpdated": "2026-03-17T18:10:26.448Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16198 (GCVE-0-2026-16198)

    Vulnerability from cvelistv5 – Published: 2026-07-18 23:30 – Updated: 2026-07-18 23:30 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw First Run Setup access_control.go authentication bypass
    Summary
    A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/access_control.go of the component First Run Setup. Performing a manipulation of the argument allowed_cidrs results in authentication bypass using alternate channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit is now public and may be used. The patch is named 017601354be38cb027ff3ffb01aed79bd5d12610. Applying a patch is the recommended action to fix this issue.
    CWE
    • CWE-288 - Authentication Bypass Using Alternate Channel
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "First Run Setup"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/access_control.go of the component First Run Setup. Performing a manipulation of the argument allowed_cidrs results in authentication bypass using alternate channel. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is regarded as difficult. The exploit is now public and may be used. The patch is named 017601354be38cb027ff3ffb01aed79bd5d12610. Applying a patch is the recommended action to fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.1,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "Authentication Bypass Using Alternate Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T23:30:18.741Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380014 | Sipeed PicoClaw First Run Setup access_control.go authentication bypass",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380014"
            },
            {
              "name": "VDB-380014 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380014/cti"
            },
            {
              "name": "CVE-2026-16198 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16198"
            },
            {
              "name": "Submit #852965 | Sipeed PicoClaw \u003c= v0.2.9 Authentication Bypass Using an Alternate Path or Channel (CWE-288)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852965"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3080"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3083"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/017601354be38cb027ff3ffb01aed79bd5d12610"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:28:00.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw First Run Setup access_control.go authentication bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16198",
        "datePublished": "2026-07-18T23:30:18.741Z",
        "dateReserved": "2026-07-18T07:22:40.821Z",
        "dateUpdated": "2026-07-18T23:30:18.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16197 (GCVE-0-2026-16197)

    Vulnerability from cvelistv5 – Published: 2026-07-18 23:00 – Updated: 2026-07-18 23:00
    VLAI
    Title
    Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu_64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/380013 vdb-entrytechnical-description
    https://vuldb.com/vuln/380013/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16197 third-party-advisory
    https://vuldb.com/submit/852964 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3082 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Group Message Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu_64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T23:00:12.202Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380013 | Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380013"
            },
            {
              "name": "VDB-380013 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380013/cti"
            },
            {
              "name": "CVE-2026-16197 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16197"
            },
            {
              "name": "Submit #852964 | Sipeed PicoClaw \u003c= v0.2.9 Missing Authorization (CWE-862)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852964"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3082"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:27:55.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16197",
        "datePublished": "2026-07-18T23:00:12.202Z",
        "dateReserved": "2026-07-18T07:22:36.968Z",
        "dateUpdated": "2026-07-18T23:00:12.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16196 (GCVE-0-2026-16196)

    Vulnerability from cvelistv5 – Published: 2026-07-18 22:45 – Updated: 2026-07-18 22:45 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. To fix this issue, it is recommended to deploy a patch.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "web_fetch"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. To fix this issue, it is recommended to deploy a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T22:45:13.066Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380012 | Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380012"
            },
            {
              "name": "VDB-380012 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380012/cti"
            },
            {
              "name": "CVE-2026-16196 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16196"
            },
            {
              "name": "Submit #852963 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852963"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3077"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3085"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:27:51.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16196",
        "datePublished": "2026-07-18T22:45:13.066Z",
        "dateReserved": "2026-07-18T07:22:33.012Z",
        "dateUpdated": "2026-07-18T22:45:13.066Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16195 (GCVE-0-2026-16195)

    Vulnerability from cvelistv5 – Published: 2026-07-18 22:30 – Updated: 2026-07-18 22:30
    VLAI
    Title
    Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/380011 vdb-entrytechnical-description
    https://vuldb.com/vuln/380011/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16195 third-party-advisory
    https://vuldb.com/submit/852962 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3076 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Group Message Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T22:30:10.281Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-380011 | Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/380011"
            },
            {
              "name": "VDB-380011 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/380011/cti"
            },
            {
              "name": "CVE-2026-16195 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16195"
            },
            {
              "name": "Submit #852962 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852962"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3076"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-18T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-18T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-18T09:27:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16195",
        "datePublished": "2026-07-18T22:30:10.281Z",
        "dateReserved": "2026-07-18T07:22:29.086Z",
        "dateUpdated": "2026-07-18T22:30:10.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16085 (GCVE-0-2026-16085)

    Vulnerability from cvelistv5 – Published: 2026-07-18 09:15 – Updated: 2026-07-18 09:15
    VLAI
    Title
    Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically with the label "not planned" by a bot.
    CWE
    • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/379797 vdb-entrytechnical-description
    https://vuldb.com/vuln/379797/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16085 third-party-advisory
    https://vuldb.com/submit/852947 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3075 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. Affected is the function NewContextBuilder of the file pkg/agent/context.go. Such manipulation leads to inclusion of functionality from untrusted control sphere. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-829",
                  "description": "Inclusion of Functionality from Untrusted Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T09:15:09.590Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379797 | Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379797"
            },
            {
              "name": "VDB-379797 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379797/cti"
            },
            {
              "name": "CVE-2026-16085 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16085"
            },
            {
              "name": "Submit #852947 | Sipeed PicoClaw \u003c= 0.2.9 Inclusion of Functionality from Untrusted Control Sphere (CWE-829)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852947"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3075"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:34.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw context.go NewContextBuilder inclusion of functionality from untrusted control sphere"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16085",
        "datePublished": "2026-07-18T09:15:09.590Z",
        "dateReserved": "2026-07-17T13:50:10.945Z",
        "dateUpdated": "2026-07-18T09:15:09.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16084 (GCVE-0-2026-16084)

    Vulnerability from cvelistv5 – Published: 2026-07-18 09:00 – Updated: 2026-07-18 09:00 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw web.go web_fetch server-side request forgery
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: c15aac21fe05ee103a470e1104bc891754e83392. To fix this issue, it is recommended to deploy a patch.
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: c15aac21fe05ee103a470e1104bc891754e83392. To fix this issue, it is recommended to deploy a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T09:00:10.981Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379796 | Sipeed PicoClaw web.go web_fetch server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379796"
            },
            {
              "name": "VDB-379796 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379796/cti"
            },
            {
              "name": "CVE-2026-16084 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16084"
            },
            {
              "name": "Submit #852946 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852946"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3074"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3143"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/c15aac21fe05ee103a470e1104bc891754e83392"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:30.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw web.go web_fetch server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16084",
        "datePublished": "2026-07-18T09:00:10.981Z",
        "dateReserved": "2026-07-17T13:50:07.157Z",
        "dateUpdated": "2026-07-18T09:00:10.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16083 (GCVE-0-2026-16083)

    Vulnerability from cvelistv5 – Published: 2026-07-18 08:30 – Updated: 2026-07-18 08:30
    VLAI
    Title
    Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of the file pkg/channels/line/line.go of the component LINE Webhook. The manipulation results in authentication bypass by capture-replay. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically with the label "not planned" by a bot.
    CWE
    • CWE-294 - Authentication Bypass by Capture-replay
    • CWE-287 - Improper Authentication
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/379795 vdb-entrytechnical-description
    https://vuldb.com/vuln/379795/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16083 third-party-advisory
    https://vuldb.com/submit/852945 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3073 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "LINE Webhook"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This affects the function webhook.ParseRequest of the file pkg/channels/line/line.go of the component LINE Webhook. The manipulation results in authentication bypass by capture-replay. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-294",
                  "description": "Authentication Bypass by Capture-replay",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T08:30:09.134Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379795 | Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379795"
            },
            {
              "name": "VDB-379795 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379795/cti"
            },
            {
              "name": "CVE-2026-16083 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16083"
            },
            {
              "name": "Submit #852945 | Sipeed PicoClaw \u003c= 0.2.9 Authentication Bypass by Capture-replay (CWE-294)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852945"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3073"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:26.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw LINE Webhook line.go webhook.ParseRequest authentication replay"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16083",
        "datePublished": "2026-07-18T08:30:09.134Z",
        "dateReserved": "2026-07-17T13:50:03.053Z",
        "dateUpdated": "2026-07-18T08:30:09.134Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16082 (GCVE-0-2026-16082)

    Vulnerability from cvelistv5 – Published: 2026-07-18 08:15 – Updated: 2026-07-18 08:15
    VLAI
    Title
    Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou
    Summary
    A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically with the label "not planned" by a bot.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/379794 vdb-entrytechnical-description
    https://vuldb.com/vuln/379794/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-16082 third-party-advisory
    https://vuldb.com/submit/852944 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3081 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "Time-of-check Time-of-use",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T08:15:07.934Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379794 | Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/379794"
            },
            {
              "name": "VDB-379794 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379794/cti"
            },
            {
              "name": "CVE-2026-16082 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16082"
            },
            {
              "name": "Submit #852944 | Sipeed PicoClaw \u003c= 0.2.9 Time-of-check Time-of-use Race Condition (CWE-367)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852944"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3081"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:22.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw pipeline_execute.go ExecTool.executeRun toctou"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16082",
        "datePublished": "2026-07-18T08:15:07.934Z",
        "dateReserved": "2026-07-17T13:49:58.787Z",
        "dateUpdated": "2026-07-18T08:15:07.934Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-16081 (GCVE-0-2026-16081)

    Vulnerability from cvelistv5 – Published: 2026-07-18 07:45 – Updated: 2026-07-18 07:45 X_Open Source
    VLAI
    Title
    Sipeed PicoClaw auth.go cross-site request forgery
    Summary
    A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 4b0229351678f479429b8d8b19207757266f246b. Applying a patch is advised to resolve this issue.
    CWE
    • CWE-352 - Cross-Site Request Forgery
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 4b0229351678f479429b8d8b19207757266f246b. Applying a patch is advised to resolve this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-18T07:45:09.658Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-379793 | Sipeed PicoClaw auth.go cross-site request forgery",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/379793"
            },
            {
              "name": "VDB-379793 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/379793/cti"
            },
            {
              "name": "CVE-2026-16081 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-16081"
            },
            {
              "name": "Submit #852943 | Sipeed PicoClaw \u003c= 0.2.9 Cross-Site Request Forgery (CWE-352)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852943"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3072"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3160"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/commit/4b0229351678f479429b8d8b19207757266f246b"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-17T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-17T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-17T15:55:17.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw auth.go cross-site request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-16081",
        "datePublished": "2026-07-18T07:45:09.658Z",
        "dateReserved": "2026-07-17T13:49:54.669Z",
        "dateUpdated": "2026-07-18T07:45:09.658Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15320 (GCVE-0-2026-15320)

    Vulnerability from cvelistv5 – Published: 2026-07-10 02:00 – Updated: 2026-07-10 15:26
    VLAI
    Title
    Sipeed PicoClaw pico.go rt.ReloadConfig authorization
    Summary
    A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377260 vdb-entrytechnical-description
    https://vuldb.com/vuln/377260/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15320 third-party-advisory
    https://vuldb.com/submit/852942 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3071 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-i (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15320",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T15:26:21.767167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T15:26:27.879Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-i (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.5,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T02:00:08.478Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377260 | Sipeed PicoClaw pico.go rt.ReloadConfig authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377260"
            },
            {
              "name": "VDB-377260 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377260/cti"
            },
            {
              "name": "CVE-2026-15320 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15320"
            },
            {
              "name": "Submit #852942 | Sipeed PicoClaw \u003c= 0.2.9 Missing Authorization (CWE-862)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852942"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3071"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:57.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw pico.go rt.ReloadConfig authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15320",
        "datePublished": "2026-07-10T02:00:08.478Z",
        "dateReserved": "2026-07-09T18:07:40.636Z",
        "dateUpdated": "2026-07-10T15:26:27.879Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15319 (GCVE-0-2026-15319)

    Vulnerability from cvelistv5 – Published: 2026-07-10 01:45 – Updated: 2026-07-10 14:24
    VLAI
    Title
    Sipeed PicoClaw Launcher access_control.go IPAllowlist access control
    Summary
    A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Controls
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377259 vdb-entrytechnical-description
    https://vuldb.com/vuln/377259/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15319 third-party-advisory
    https://vuldb.com/submit/852884 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3069 exploitissue-tracking
    https://github.com/sipeed/picoclaw/pull/3126 issue-trackingpatch
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15319",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:24:08.322070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:24:20.728Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Launcher"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:45:08.961Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377259 | Sipeed PicoClaw Launcher access_control.go IPAllowlist access control",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377259"
            },
            {
              "name": "VDB-377259 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377259/cti"
            },
            {
              "name": "CVE-2026-15319 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15319"
            },
            {
              "name": "Submit #852884 | Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852884"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3069"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/sipeed/picoclaw/pull/3126"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Launcher access_control.go IPAllowlist access control"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15319",
        "datePublished": "2026-07-10T01:45:08.961Z",
        "dateReserved": "2026-07-09T18:07:37.685Z",
        "dateUpdated": "2026-07-10T14:24:20.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15318 (GCVE-0-2026-15318)

    Vulnerability from cvelistv5 – Published: 2026-07-10 01:30 – Updated: 2026-07-10 20:31
    VLAI
    Title
    Sipeed PicoClaw MQTT Channel mqtt.go authorization
    Summary
    A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377258 vdb-entrytechnical-description
    https://vuldb.com/vuln/377258/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15318 third-party-advisory
    https://vuldb.com/submit/852879 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3068 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15318",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:25:51.936838Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:31:39.059Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "MQTT Channel Handler"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T01:30:09.422Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377258 | Sipeed PicoClaw MQTT Channel mqtt.go authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377258"
            },
            {
              "name": "VDB-377258 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377258/cti"
            },
            {
              "name": "CVE-2026-15318 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15318"
            },
            {
              "name": "Submit #852879 | Sipeed PicoClaw \u003c= 0.2.9 Incorrect Authorization (CWE-863)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852879"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3068"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw MQTT Channel mqtt.go authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15318",
        "datePublished": "2026-07-10T01:30:09.422Z",
        "dateReserved": "2026-07-09T18:07:35.019Z",
        "dateUpdated": "2026-07-10T20:31:39.059Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15317 (GCVE-0-2026-15317)

    Vulnerability from cvelistv5 – Published: 2026-07-10 00:00 – Updated: 2026-07-14 01:26
    VLAI
    Title
    Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery
    Summary
    A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377257 vdb-entrytechnical-description
    https://vuldb.com/vuln/377257/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15317 third-party-advisory
    https://vuldb.com/submit/852877 third-party-advisory
    https://github.com/sipeed/picoclaw/issues/3078 exploitissue-tracking
    https://github.com/sipeed/picoclaw/ product
    Impacted products
    Vendor Product Version
    Sipeed PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Affected: 0.2.5
    Affected: 0.2.6
    Affected: 0.2.7
    Affected: 0.2.8
    Affected: 0.2.9
        cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Eric-d (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15317",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T01:26:17.804998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T01:26:30.531Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Guarded Web Fetch Flow"
              ],
              "product": "PicoClaw",
              "vendor": "Sipeed",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                },
                {
                  "status": "affected",
                  "version": "0.2.5"
                },
                {
                  "status": "affected",
                  "version": "0.2.6"
                },
                {
                  "status": "affected",
                  "version": "0.2.7"
                },
                {
                  "status": "affected",
                  "version": "0.2.8"
                },
                {
                  "status": "affected",
                  "version": "0.2.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Eric-d (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T00:00:13.247Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377257 | Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377257"
            },
            {
              "name": "VDB-377257 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377257/cti"
            },
            {
              "name": "CVE-2026-15317 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15317"
            },
            {
              "name": "Submit #852877 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/852877"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/3078"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/sipeed/picoclaw/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T20:12:45.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15317",
        "datePublished": "2026-07-10T00:00:13.247Z",
        "dateReserved": "2026-07-09T18:07:32.588Z",
        "dateUpdated": "2026-07-14T01:26:30.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6987 (GCVE-0-2026-6987)

    Vulnerability from cvelistv5 – Published: 2026-04-25 16:45 – Updated: 2026-04-27 13:34
    VLAI
    Title
    PicoClaw Web Launcher Management Plane restart command injection
    Summary
    A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a PicoClaw Affected: 0.2.0
    Affected: 0.2.1
    Affected: 0.2.2
    Affected: 0.2.3
    Affected: 0.2.4
    Credits
    AiSec (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6987",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:20:23.522219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:34:16.415Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Web Launcher Management Plane"
              ],
              "product": "PicoClaw",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                },
                {
                  "status": "affected",
                  "version": "0.2.1"
                },
                {
                  "status": "affected",
                  "version": "0.2.2"
                },
                {
                  "status": "affected",
                  "version": "0.2.3"
                },
                {
                  "status": "affected",
                  "version": "0.2.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AiSec (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-25T16:45:09.726Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-359530 | PicoClaw Web Launcher Management Plane restart command injection",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/359530"
            },
            {
              "name": "VDB-359530 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/359530/cti"
            },
            {
              "name": "Submit #796336 | PicoClaw V0.2.4 Command execution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/796336"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/sipeed/picoclaw/issues/2307"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-24T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-24T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-24T21:21:36.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "PicoClaw Web Launcher Management Plane restart command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-6987",
        "datePublished": "2026-04-25T16:45:09.726Z",
        "dateReserved": "2026-04-24T19:16:31.247Z",
        "dateUpdated": "2026-04-27T13:34:16.415Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32296 (GCVE-0-2026-32296)

    Vulnerability from cvelistv5 – Published: 2026-03-17 17:19 – Updated: 2026-03-17 18:10
    VLAI
    Title
    Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint
    Summary
    Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and terminate the KVM process.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    Sipeed NanoKVM Affected: 0 , < 2.3.1 (custom)
    Unaffected: 2.3.1
    Create a notification for this product.
    Date Public
    2026-03-17 00:00
    Credits
    Reynaldo Vasquez Garcia, Eclypsium
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-17T18:10:20.429406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-17T18:10:26.448Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "NanoKVM",
              "vendor": "Sipeed",
              "versions": [
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.3.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Reynaldo Vasquez Garcia, Eclypsium"
            }
          ],
          "datePublic": "2026-03-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker\u0027s choosing, or craft a request to exhaust the system memory and terminate the KVM process."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2026-32296",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "yes"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2026-03-16T19:28:53.598916Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-17T17:19:55.013Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/sipeed/NanoKVM/blob/main/CHANGELOG.md#231-2025-12-26"
            },
            {
              "name": "url",
              "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"
            },
            {
              "name": "url",
              "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-32296"
            }
          ],
          "title": "Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2026-32296",
        "datePublished": "2026-03-17T17:19:55.013Z",
        "dateReserved": "2026-03-11T18:26:54.750Z",
        "dateUpdated": "2026-03-17T18:10:26.448Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }