Product
A high-severity server-side request forgery (SSRF) vulnerability, identified as CVE-2026-16016, exists in poco-ai's poco-claw software up to version 0.5.4, allowing remote attackers to manipulate the `callback_url` argument in the `run_task` function to force the server to make arbitrary requests, with a public exploit available posing an immediate risk.