CVE-2026-6987 - Vulnerability Details

- PicoClaw Web Launcher Management Plane restart command injection

Description

A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-25

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw originates from unsanitized input handling in the /api/gateway/restart endpoint within the PicoClaw Web Launcher Management Plane. An attacker that can send requests to this endpoint can inject arbitrary shell commands, leading to remote command execution. The issue belongs to CWE‑74 and CWE‑77, indicating flawed command construction and lack of validation. Remote access to the management interface is sufficient to trigger the injection.

Affected Systems

Firmware versions up to and including 0.2.4 of the PicoClaw device are affected. Any device running the affected firmware that exposes the management API to external networks is at risk. The product is maintained by the PicoClaw project, which has documented the issue but has not yet released a fixed build.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity, while an EPSS score of < 1 % points to a low current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. Attackers would require network reachability to the device’s web management API and would exploit the injection by supplying crafted input to the restart endpoint. While the chance of active exploitation remains low at present, the impact of successful injection—full system compromise—remains high, especially for devices exposed to the internet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

PicoClaw

affected

Version	Status	Constraints
`0.2.0`	affected	—
`0.2.1`	affected	—
`0.2.2`	affected	—
`0.2.3`	affected	—
`0.2.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:go:*:*

No data.

Vendor Product Confidence Versions

Sipeed

Picoclaw

100%

Version	Status	Scheme	Platform
`0.2.0`	affected	semver	—
`0.2.1`	affected	semver	—
`0.2.2`	affected	semver	—
`0.2.3`	affected	semver	—
`0.2.4`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Limit external access to the /api/gateway/restart endpoint using firewall rules or network segmentation so that only trusted internal systems can invoke it.
Upgrade the device’s firmware to a version newer than 0.2.4 as soon as a vendor fix becomes available; monitor the PicoClaw issue tracker for updates.
If a firmware update is not available immediately, disable or block the restart functionality on the Web Launcher Management Plane to prevent the vulnerable endpoint from being called.
Apply input validation or command sanitization on the server side to ensure that untrusted data is not passed to the operating system shell, in line with best practices for mitigating command injection.

Generated by OpenCVE AI on May 2, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6r3x-h84w-fhxx	PicoClaw has an Injection issue in its Web Launcher Management Plane component

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00198.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/sipeed/picoclaw/issues/2307
https://vuldb.com/submit/796336
https://vuldb.com/vuln/359530
https://vuldb.com/vuln/359530/cti

History

Fri, 01 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:sipeed:picoclaw::::::go::*

Mon, 27 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sipeed Sipeed picoclaw
Vendors & Products		Sipeed Sipeed picoclaw

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 25 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.
Title		PicoClaw Web Launcher Management Plane restart command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/sipeed/picoclaw/issues/2307 https://vuldb.com/submit/796336 https://vuldb.com/vuln/359530 https://vuldb.com/vuln/359530/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sipeed Picoclaw

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-25T16:45:09.726Z

Updated: 2026-04-27T13:34:16.415Z

Reserved: 2026-04-24T19:16:31.247Z

Link: CVE-2026-6987

Vulnrichment

Updated: 2026-04-27T13:20:24.583Z

NVD

Status : Analyzed

Published: 2026-04-25T17:16:33.870

Modified: 2026-05-01T20:24:30.653

Link: CVE-2026-6987

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T14:45:44Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object