CVE-2026-36045 - Vulnerability Details

- OS Command Injection in picoclaw ExecTool

Description

picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.

Published: 2026-05-27

Score: 7.3 High

EPSS: 1.3% Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can execute arbitrary shell commands through picoclaw's ExecTool component because the command filtering only blocks a few patterns and leaves many injection vectors open. This flaw is classified as an OS command injection, allowing an attacker to manipulate the host system or exfiltrate data. The vulnerability is a direct result of incomplete input validation when launching system commands.

Affected Systems

The affected product is picoclaw, specifically versions 0.1.2 and earlier. No vendor information is recorded, but the entire software package is vulnerable.

Risk and Exploitability

The CVSS score for this issue is 7.3, and the EPSS rating is 1%, while it is not listed in the CISA KEV catalog, suggesting that exploitation is not widely observed. Based on the description, it is inferred that the attacker must have access to a mechanism that can invoke the ExecTool interface, such as a local service or API endpoint, to be able to run arbitrary commands with the privileges of the picoclaw process. The incomplete denylist means that the flaw is highly exploitable once the entry point is reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Sipeed

Picoclaw

90%

Version	Status	Scheme	Platform
`[0,0.1.2]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable or remove the ExecTool component from picoclaw if that functionality is not required.
Restrict access to the ExecTool API with firewalls, network segmentation, or stricter authentication so that only trusted administrators can invoke it.
Implement a command whitelist and monitor logs for unexpected shell activity to detect exploitation attempts.
Check the vendor’s website or repository for a newer release that includes a fixed denylist before applying the update if one becomes available.

Generated by OpenCVE AI on June 16, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01314.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68
https://github.com/sipeed/picoclaw/releases/tag/v0.1.2

History

Tue, 16 Jun 2026 09:45:00 +0000

Type	Values Removed	Values Added
Title		OS Command Injection in picoclaw ExecTool

Tue, 02 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Title	OS Command Injection via picoclaw ExecTool

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Title		OS Command Injection via picoclaw ExecTool

Thu, 28 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Title	OS Command Injection in picoclaw’s ExecTool Component due to Incomplete Denylist

Thu, 28 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title		OS Command Injection in picoclaw’s ExecTool Component due to Incomplete Denylist
First Time appeared		Sipeed Sipeed picoclaw
Weaknesses		CWE-78
Vendors & Products		Sipeed Sipeed picoclaw

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.
References		https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68 https://github.com/sipeed/picoclaw/releases/tag/v0.1.2

Subscriptions

Sipeed Picoclaw

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-27T00:00:00.000Z

Updated: 2026-05-28T13:32:36.668Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36045

Vulnrichment

Updated: 2026-05-28T13:32:28.079Z

NVD

Status : Deferred

Published: 2026-05-27T14:16:45.287

Modified: 2026-06-01T18:09:03.137

Link: CVE-2026-36045

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T09:30:15Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object