picoclaw is vulnerable to OS command injection via the ExecTool component in github.com/sipeed/picoclaw
{ "url": "https://pkg.go.dev/vuln/GO-2026-5867", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2026-5867.json"