Skip to main content

Sipeed PicoClaw EUVDEUVD-2026-42757

| CVE-2026-15317 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-10 VulDB GHSA-jfqv-gfxr-5hm7
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-reachable SSRF requiring user interaction (UI:R per CVSS 4.0 UI:P); no privileges needed; low CIA impact aligned with CVSS 4.0 VC:L/VI:L/VA:L; no scope change as SC/SI/SA are all N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 10, 2026 - 00:28 vuln.today
Severity Changed
Jul 10, 2026 - 00:22 NVD
MEDIUM LOW
CVSS changed
Jul 10, 2026 - 00:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.

AnalysisAI

Server-side request forgery in Sipeed PicoClaw up to version 0.2.9 allows remote attackers to manipulate the WebFetchTool.Execute function within the Guarded Web Fetch Flow component, causing the server to issue arbitrary outbound requests on behalf of the attacker. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact with no subsequent-system scope change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted URL to WebFetchTool.Execute endpoint
Delivery
Trigger passive user interaction to initiate fetch
Exploit
Bypass Guarded Web Fetch Flow SSRF controls
Execution
Server issues request to internal or metadata target
Impact
Retrieve partial response data from restricted resource

Vulnerability AssessmentAI

Exploitation Exploitation requires that PicoClaw is deployed and its WebFetchTool.Execute function within the Guarded Web Fetch Flow is reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is substantially limited by multiple converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker submits a crafted URL - targeting an internal service such as the AWS instance metadata endpoint at http://169.254.169.254/latest/meta-data/ - to the PicoClaw WebFetchTool.Execute interface after eliciting or waiting for a passive user interaction that triggers the fetch. The Guarded Web Fetch Flow fails to block the malicious URL, and the PicoClaw server fetches the internal resource and returns the response to the attacker. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy