GHSA-6r3x-h84w-fhxx

Source

https://github.com/advisories/GHSA-6r3x-h84w-fhxx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6r3x-h84w-fhxx/GHSA-6r3x-h84w-fhxx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6r3x-h84w-fhxx

Aliases

CVE-2026-6987

Published

2026-04-25T18:32:58Z

Modified

2026-05-07T16:52:40.288420Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

PicoClaw has an Injection issue in its Web Launcher Management Plane component

Details

A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.

Database specific

{
    "cwe_ids": [
        "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T16:33:57Z",
    "nvd_published_at": "2026-04-25T17:16:33Z",
    "severity": "MODERATE"
}

References

Affected packages

Go / github.com/sipeed/picoclaw

Package

Name: github.com/sipeed/picoclaw; View open source insights on deps.dev
Purl: pkg:golang/github.com/sipeed/picoclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.2.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6r3x-h84w-fhxx/GHSA-6r3x-h84w-fhxx.json"