PT-2026-60767 · Poco Ai · Poco-Claw

·

CVE-2026-16016

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

7.3

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run task of the file executor/app/api/v1/task.py. The manipulation of the argument callback url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically due to inactivity.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-16016

Affected Products

Poco-Claw