PT-2026-43703 · Undefined · Undefined

Nucleiav

Published

2026-05-27

Updated

2026-05-27

CVE-2026-36045

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-36045

Affected Products

Undefined

PT-2026-43703 · Undefined · Undefined

CVE-2026-36045

Weakness Enumeration

Related Identifiers

Affected Products

References · 3