A vulnerability was found in louisho5 picobot up to 0.2.0 and classified as critical. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following.

This vulnerability is registered as CVE-2026-15629. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The project was informed of the problem early through an issue report but has not responded yet.