CVE-2026-16016
poco-ai poco-claw task.py run_task server-side request forgery
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically due to inactivity.
| CWE | CWE-918 |
| Vendor | poco-ai |
| Product | poco-claw |
| Published | Jul 17, 2026 |
| Last Updated | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for poco-ai poco-claw
Be the first to know when new high vulnerabilities affecting poco-ai poco-claw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
poco-ai / poco-claw
0.5.0 0.5.1 0.5.2 0.5.3 0.5.4
References
Credits
๐ Erichen (VulDB User) VulDB CNA Team