Skip to main content

picobot EUVDEUVD-2026-43618

| CVE-2026-15629 LOW
Improper Link Resolution Before File Access (CWE-59)
2026-07-14 VulDB GHSA-3w4p-rmf6-8x3x
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-reachable endpoint requires low-privilege auth (PR:L); symlink traversal yields limited file read/write with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 14, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
Jul 14, 2026 - 05:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 14, 2026 - 04:45 vuln.today
CVE Published
Jul 14, 2026 - 03:30 cve.org
MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Link-following vulnerability in louisho5 picobot up to version 0.2.0 allows a remote, low-privileged attacker to traverse outside the intended workspace directory via the CreateSkill and GetSkill functions in the filesystem handler. The root cause is improper symlink resolution (CWE-59) in internal/agent/tools/filesystem.go, enabling potential unauthorized file read and write operations on the host filesystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege credentials
Delivery
Send crafted CreateSkill request with symlink payload
Exploit
Workspace Handler resolves symlink without boundary check
Execution
Access or write file outside workspace sandbox
Impact
Exfiltrate sensitive host filesystem data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege account or API credential on the target picobot instance, as indicated by PR:L in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L) scores 5.3, indicating medium severity with low individual impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with low-privilege access to a picobot instance crafts a skill creation request containing a symbolic link pointing to a sensitive file outside the workspace directory (e.g., /etc/passwd or application secrets). When the GetSkill function resolves the path without validating the symlink target, the server returns or writes to the attacker-controlled out-of-bounds location. …
Remediation No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the disclosure as of the report date. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy