PatchSiren

Sipeed CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW Sipeed CVE published 2026-07-10

CVE-2026-15320

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The vulnerability has a CVSS score of 2.1 and is considered Low severity. Users should review and apply patches to [truncated]

MEDIUM Sipeed CVE published 2026-07-10

CVE-2026-15319

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher, leading to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. Users should apply the patch to remediate this is [truncated]

LOW Sipeed CVE published 2026-07-10

CVE-2026-15318

A weakness has been identified in Sipeed PicoClaw up to 0.2.9, affecting some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument client_id causes incorrect authorization. The attack is possible to be carried out remotely. Users should review the CVE record and NVD detail page for more information.

LOW Sipeed CVE published 2026-07-10

CVE-2026-15317

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9, affecting the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. This vulnerability results in server-side request forgery (SSRF) and can be executed remotely. Users of Sipeed PicoClaw up to 0.2.9 should be aware of this vulnerability and take necessary precautions to protect th [truncated]

HIGH Sipeed CVE published 2026-05-27

CVE-2026-36045

CVE-2026-36045 describes an OS command injection vulnerability in picoclaw versions v0.1.2 and earlier. The vulnerability exists in the ExecTool component (pkg/tools/shell.go), specifically within the guardCommand() function. This function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete and can be bypassed. The CVE was published on 202 [truncated]