Skip to main content

picobot EUVDEUVD-2026-43619

| CVE-2026-15668 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-14 VulDB GHSA-95cp-92vm-rcpc
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-reachable SSRF requiring low-privilege auth; scope unchanged per 4.0 SC:N; partial C/I/A impact consistent with provided 4.0 VC:L/VI:L/VA:L metrics.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 14, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
Jul 14, 2026 - 05:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 14, 2026 - 04:45 vuln.today
CVE Published
Jul 14, 2026 - 04:00 cve.org
MEDIUM 5.3

DescriptionCVE.org

A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery in louisho5 picobot up to version 0.2.0 allows authenticated remote attackers to manipulate the url argument of the WebTool.Execute function in internal/agent/tools/web.go, causing the server to issue arbitrary HTTP requests to internal or external targets. The vulnerability carries a CVSS 4.0 score of 5.3 with low-privilege authentication required and has publicly available exploit code disclosed via a GitHub issue report. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to picobot with low-privilege credentials
Delivery
Submit crafted url parameter to WebTool.Execute
Exploit
Server issues outbound request to attacker-specified internal target
Execution
Internal service responds to picobot host
Impact
Attacker receives internal data in response

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold low-privileged authenticated access to the picobot instance (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network-reachable exploitation at low complexity requiring only low-privileged authentication, with partial confidentiality, integrity, and availability impact on the vulnerable system and no subsequent-system scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege authenticated access to a picobot deployment submits a crafted request to the WebTool.Execute endpoint with the url parameter pointing to an internal resource such as http://169.254.169.254/latest/meta-data/ (AWS instance metadata) or an internal administrative service not exposed to the internet. The picobot server issues the request on the attacker's behalf and returns the response, leaking cloud credentials, internal API responses, or internal service data. …
Remediation No vendor-released patch has been identified at time of analysis - the upstream maintainer had not responded to the responsible disclosure at the time of CVE publication. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy