Server-side Request Forgery Vulnerability in Sipeed PicoClaw Software
CVE-2026-16196
Key Information:
Badges
What is CVE-2026-16196?
A vulnerability in the Sipeed PicoClaw software has been identified, specifically impacting the web_fetch component's isPrivateOrRestrictedIP function. This flaw facilitates server-side request forgery, allowing remote attackers to manipulate server requests. The exploit has been made publicly accessible, presenting significant risks unless properly mitigated. Users are advised to apply the available security patch (commit 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405) to safeguard their systems against potential attacks.
Affected Version(s)
PicoClaw 0.2.0
PicoClaw 0.2.1
PicoClaw 0.2.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
