Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable SSRF requiring user interaction (UI:R per CVSS 4.0 UI:P); no privileges needed; low CIA impact aligned with CVSS 4.0 VC:L/VI:L/VA:L; no scope change as SC/SI/SA are all N.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.
AnalysisAI
Server-side request forgery in Sipeed PicoClaw up to version 0.2.9 allows remote attackers to manipulate the WebFetchTool.Execute function within the Guarded Web Fetch Flow component, causing the server to issue arbitrary outbound requests on behalf of the attacker. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact with no subsequent-system scope change. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that PicoClaw is deployed and its WebFetchTool.Execute function within the Guarded Web Fetch Flow is reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is substantially limited by multiple converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker submits a crafted URL - targeting an internal service such as the AWS instance metadata endpoint at http://169.254.169.254/latest/meta-data/ - to the PicoClaw WebFetchTool.Execute interface after eliciting or waiting for a passive user interaction that triggers the fetch. The Guarded Web Fetch Flow fails to block the malicious URL, and the PicoClaw server fetches the internal resource and returns the response to the attacker. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP
Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.Re
Incorrect authorization in Sipeed PicoClaw's MQTT Channel Handler (pkg/channels/mqtt/mqtt.go) through version 0.2.9 allo
Remote command injection in PicoClaw Web Launcher Management Plane (versions up to 0.2.4) allows unauthenticated attacke
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42757
GHSA-jfqv-gfxr-5hm7