A vulnerability labeled as critical has been found in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery.

This vulnerability is uniquely identified as CVE-2026-15620. The attack can be launched remotely. Moreover, an exploit is present.

The reported GitHub issue was closed with the label “not planned”.