Command Injection Vulnerability in PicoClaw Web Launcher Management Plane
CVE-2026-6987

6.9MEDIUM

Key Information:

Vendor

PicoClaw

Status
Picoclaw
Vendor
CVE Published:
25 April 2026

What is CVE-2026-6987?

A command injection vulnerability exists in the PicoClaw Web Launcher Management Plane, specifically within the /api/gateway/restart function. This flaw allows remote attackers to execute arbitrary commands, potentially leading to unauthorized system manipulation. Despite being reported, there has been no official response from the project regarding mitigation strategies. Users of PicoClaw versions up to 0.2.4 are advised to take precautions to protect their systems from potential exploitation.

Affected Version(s)

PicoClaw 0.2.0

PicoClaw 0.2.1

PicoClaw 0.2.2

References

https://vuldb.com/vuln/359530
vdb-entry
https://vuldb.com/vuln/359530/cti
signaturepermissions-required
https://vuldb.com/submit/796336
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

AiSec (VulDB User)
VulDB CNA Team
.