Review
Sipeed
CVE published 2026-05-27
CVE-2026-36045
CVE-2026-36045 describes an OS command injection vulnerability in picoclaw versions v0.1.2 and earlier. The vulnerability exists in the ExecTool component (pkg/tools/shell.go), specifically within the guardCommand() function. This function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete and can be bypassed. The CVE was published on 202 [truncated]