Skip to main content

picobot EUVDEUVD-2026-43621

| CVE-2026-15669 LOW
OS Command Injection (CWE-78)
2026-07-14 VulDB GHSA-r2gh-4x75-72jf
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Local-only attack vector and low-privilege requirement per exec tool access model; no scope change as subsequent-system impact is absent.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 14, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
Jul 14, 2026 - 06:22 NVD
4.8 (MEDIUM) 1.9 (LOW)
Analysis Generated
Jul 14, 2026 - 05:46 vuln.today
CVE Published
Jul 14, 2026 - 05:15 cve.org
MEDIUM 4.8

DescriptionCVE.org

A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

OS command injection in louisho5 picobot up to version 0.2.0 allows local low-privileged attackers to execute arbitrary operating system commands through the ExecTool.Execute function in internal/agent/tools/exec.go. A publicly available proof-of-concept exploit exists (GitHub issue #43), elevating practical risk despite the moderate CVSS 4.0 score of 4.8. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege local shell access
Delivery
Craft OS command injection payload with shell metacharacters
Exploit
Supply payload to ExecTool.Execute function
Execution
Unsanitized input passed to OS exec call
Persist
Arbitrary commands execute under picobot process context
Impact
Achieve unauthorized local code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a host where picobot version 0.2.0 or earlier is installed and the exec tool (ExecTool.Execute in internal/agent/tools/exec.go) is accessible to the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 with vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N reflects a moderate, locally-scoped risk with limited impact across all three pillars. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with low-privilege credentials on a shared system running picobot crafts a malicious string containing shell metacharacters (e.g., semicolons, backticks, or pipe operators) and supplies it as input to the ExecTool.Execute function. The function passes the unsanitized input directly to an OS command call, causing the shell to interpret the injected metacharacters and execute attacker-controlled commands in the context of the picobot process. …
Remediation No vendor-released patch has been identified at time of analysis - the project maintainer has not responded to the responsible disclosure filed via GitHub issue #42. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy