Skip to main content

Clawlet

2 CVEs product

Monthly

CVE-2026-15621 MEDIUM This Month

Link-following vulnerability in mosaxiv clawlet up to version 0.2.10 allows local low-privileged attackers to read, write, or modify files outside intended directories by supplying symlinks to the read_file, write_file, and edit_file functions in tools/fs_ops.go. All three file-operation primitives are affected, meaning the attack surface covers both read (information disclosure) and write/edit (integrity impact) paths. No patch is planned - the upstream GitHub issue was explicitly closed as 'not planned', leaving all deployments on affected versions permanently unpatched.

Information Disclosure Clawlet
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-15620 LOW POC Monitor

Server-side request forgery in mosaxiv clawlet up to version 0.2.10 enables authenticated remote attackers to manipulate the webFetch tool function to issue arbitrary HTTP requests from the server, potentially reaching internal services, cloud metadata endpoints, or other network resources not directly accessible to the attacker. A publicly available proof-of-concept exploit was disclosed via GitHub issue #14, making real-world exploitation more accessible. Critically, the upstream maintainer closed the issue as 'not planned,' meaning no vendor-released patch is forthcoming and the vulnerability will remain permanently unaddressed in the existing codebase.

SSRF Clawlet
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
EPSS 0% CVSS 4.8
MEDIUM This Month

Link-following vulnerability in mosaxiv clawlet up to version 0.2.10 allows local low-privileged attackers to read, write, or modify files outside intended directories by supplying symlinks to the read_file, write_file, and edit_file functions in tools/fs_ops.go. All three file-operation primitives are affected, meaning the attack surface covers both read (information disclosure) and write/edit (integrity impact) paths. No patch is planned - the upstream GitHub issue was explicitly closed as 'not planned', leaving all deployments on affected versions permanently unpatched.

Information Disclosure Clawlet
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in mosaxiv clawlet up to version 0.2.10 enables authenticated remote attackers to manipulate the webFetch tool function to issue arbitrary HTTP requests from the server, potentially reaching internal services, cloud metadata endpoints, or other network resources not directly accessible to the attacker. A publicly available proof-of-concept exploit was disclosed via GitHub issue #14, making real-world exploitation more accessible. Critically, the upstream maintainer closed the issue as 'not planned,' meaning no vendor-released patch is forthcoming and the vulnerability will remain permanently unaddressed in the existing codebase.

SSRF Clawlet
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy