A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: c15aac21fe05ee103a470e1104bc891754e83392. To fix this issue, it is recommended to deploy a patch.
https://vuldb.com/vuln/379796/cti
https://vuldb.com/submit/852946
https://vuldb.com/cve/CVE-2026-16084
https://github.com/sipeed/picoclaw/pull/3143
https://github.com/sipeed/picoclaw/issues/3074
https://github.com/sipeed/picoclaw/commit/c15aac21fe05ee103a470e1104bc891754e83392
Published: 2026-07-18
Updated: 2026-07-18
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: High
Base Score: 7.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity: High
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Severity: Medium
EPSS: 0.00401