### Vulnerability Overview - **Vulnerability Name**: PicoClaw up to 0.2.4 Web Launcher Plane /api/gateway/restart command injection - **Vulnerability ID**: CVE-2026-6987 - **CVSS Score**: 6.6 (CVSS v3.1) - **Vulnerability Type**: Command Injection - **Vulnerability Description**: A critical vulnerability has been identified in PicoClaw up to version 0.2.4. The affected element is an unknown function within the `/api/gateway/restart` file of the Web Launcher component. This vulnerability allows remote attackers to execute arbitrary command injection by crafting malicious commands. ### Impact Scope - **Affected Versions**: PicoClaw 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4 - **Affected Component**: `/api/gateway/restart` file of the Web Launcher component - **Attack Vector**: Remote - **Attack Complexity**: Low - **Authentication Requirement**: None - **Impact Scope**: Confidentiality, Integrity, and Availability are all affected ### Remediation - **Current Status**: The project has been notified of this issue via an issue report but has not yet responded. - **Recommended Measures**: No known mitigations are currently available. It is recommended to update to the latest version as soon as possible or seek alternative products. ### Additional Information - **CVSS Vector**: `AV:N/AC:L/Au:N/C:P/I:P/A:P` - **CWE Definition**: CWE-77 (Command Injection) - **CAPEC**: Not defined - **ATT&CK**: Not defined - **Physical Access**: No - **Local Access**: No - **Remote Access**: Yes - **Availability**: Not defined - **Status**: Proof of Concept - **Price Forecast**: Not defined - **Current Price Estimate**: Not defined ### Timeline - **April 24, 2026**: Vulnerability disclosed - **April 25, 2026**: VulDB entry created - **April 25, 2026**: VulDB entry last updated ### Sources - **CVE**: CVE-2026-6987 - **GCVE (VulDB)**: GCVE-100-399530 - **EUVDB**: Not defined - **scip Labs**: https://www.scip.ch/en/?labs.20161013 ### Submission Information - **Submission ID**: #796336 - **Submission Content**: PicoClaw V0.2.4 Command execution by AiSec ### Discussion - No comments yet. Language: en. --- **Note**: The page does not contain POC code or exploit code.