PatchSiren cyber security CVE debrief
CVE-2026-16082 Sipeed CVE debrief
A vulnerability was identified in Sipeed PicoClaw up to 0.2.9, affecting the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. This vulnerability has a low CVSS score of 1.9 and is considered low severity. Users of Sipeed PicoClaw up to 0.2.9 should review and apply patches or mitigations. The exploit is publicly available, and defenders should verify the affected scope and severity with the vendor.
- Vendor
- Sipeed
- Product
- PicoClaw
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of Sipeed PicoClaw up to 0.2.9 should review and apply patches or mitigations. Operators of affected systems, platform administrators, vulnerability management teams, and security teams should be aware of the vulnerability and its potential impact. The vulnerability requires local access, and defenders should verify the affected scope and severity with the vendor.
Technical summary
The vulnerability exists in the ExecTool.executeRun function of the pkg/agent/pipeline_execute.go file in Sipeed PicoClaw up to 0.2.9. The vulnerability is due to improper handling of the cwe argument, leading to a time-of-check time-of-use issue. The attack requires local access and has a low CVSS score of 1.9, indicating low severity. The CVE record was published on 2026-07-18T09:17:07.783Z and has not been modified since then.
Defensive priority
Low priority due to local attack requirement and low CVSS score.
Recommended defensive actions
- Review and apply patches or mitigations for Sipeed PicoClaw up to 0.2.9
- Restrict local access to the affected system
- Monitor for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The reported GitHub issue was closed automatically with the label 'not planned' by a bot. The exploit is publicly available. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record was published on 2026-07-18T09:17:07.783Z and has not been modified since then. The vulnerability exists in the ExecTool.executeRun function of the pkg/agent/pipeline_execute.go file in Sipeed PicoClaw up to 0.2.9.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T09:17:07.783Z and has not been modified since then.