CVE-2026-16016
HIGH Exploitation: PoC
7.3
CVSS 3.1
Description
A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically due to inactivity.
Metadata
Severity & Metrics
7.3
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| poco-ai | poco-claw | — | 0.5.0, 0.5.1, 0.5.2, 0.5.3 … |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-918 | cna | Server-Side Request Forgery |
CVSS scores (4)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.5 | N/D | 2.0 | cna | AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR |
| 7.3 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
| 7.3 | HIGH | 3.0 | cna | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
| 6.9 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
References (6)
- VDB-379758 | poco-ai poco-claw task.py run_task server-side request forgery https://vuldb.com/vuln/379758
- VDB-379758 | CTI Indicators (IOB, IOC, IOA) https://vuldb.com/vuln/379758/cti
- CVE-2026-16016 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-16016
- Submit #856814 | poco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918) https://vuldb.com/submit/856814
- https://github.com/poco-ai/poco-claw/issues/138
- https://github.com/poco-ai/poco-claw/