CVE-2026-16081
Severity CVSS v4.0:
LOW
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
18/07/2026
Last modified:
18/07/2026
Description
A vulnerability was determined in Sipeed PicoClaw up to 0.2.9. The affected element is an unknown function of the file web/backend/api/auth.go. Executing a manipulation can lead to cross-site request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 4b0229351678f479429b8d8b19207757266f246b. Applying a patch is advised to resolve this issue.
Impact
Base Score 4.0
2.10
Severity 4.0
LOW
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Base Score 2.0
5.00
Severity 2.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/sipeed/picoclaw/
- https://github.com/sipeed/picoclaw/commit/4b0229351678f479429b8d8b19207757266f246b
- https://github.com/sipeed/picoclaw/issues/3072
- https://github.com/sipeed/picoclaw/pull/3160
- https://vuldb.com/cve/CVE-2026-16081
- https://vuldb.com/submit/852943
- https://vuldb.com/vuln/379793
- https://vuldb.com/vuln/379793/cti



