CVE-2026-36045HIGHCVSS 7.3

picoclaw is vulnerable to OS command injection via the ExecTool component

Published May 27, 2026·Updated Jul 1, 2026

Description

picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.

Affected Packages (1)

github.com/sipeed/picoclawGO
Fixed in = 0.1.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free