EUVD-2026-25663CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote command injection in PicoClaw Web Launcher Management Plane (versions up to 0.2.4) allows unauthenticated attackers to execute arbitrary system commands via the /api/gateway/restart endpoint. CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all instances of PicoClaw Web Launcher Management Plane (versions ≤0.2.4) in your environment and document their network exposure; immediately restrict network access to the /api/gateway/restart endpoint using firewall rules or WAF policies to permit only trusted administrative IP ranges. Within 7 days: Implement network segmentation to isolate the management plane from internet-facing networks; deploy intrusion detection signatures monitoring for POST requests to /api/gateway/restart with suspicious payloads; contact PicoClaw vendor for patch timeline and interim guidance. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today