478 matches found
CVE-2026-54316
A flaw was found in Claude Code, an agentic coding tool. An attacker could exploit a misconfiguration in the tool's web request functionality, known as WebFetch, where the huggingface.co domain was pre-approved without proper path restrictions. By injecting untrusted content into a Claude Code...
Anthropic Claude Code 2.1.38 < 2.1.163 Sandbox Escape (CVE-2026-55607)
The version of Anthropic Claude Code installed on the remote host is 2.1.38 prior to 2.1.163. It is, therefore, affected by a sandbox escape vulnerability: - Claude Code's worktree handling allowed creation of worktrees named '.git' and navigation to worktrees outside the sandbox context, enablin...
Anthropic Claude Code 2.1.59 < 2.1.128 Information Disclosure (CVE-2026-46406)
The version of Anthropic Claude Code installed on the remote host is 2.1.59 prior to 2.1.128. It is, therefore, affected by an information disclosure vulnerability: - The Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation,...
CVE-2026-55607
A flaw was found in Claude Code, an agentic coding tool, in its handling of worktrees. This vulnerability allowed the creation of specially named worktrees and navigation outside of the intended secure environment, leading to what is known as a 'git directory confusion attack'. By manipulating...
CVE-2026-46406
A flaw was found in Claude Code. The /copy command created responses in a predictable, world-readable temporary file without proper isolation or symlink protection. This allowed a local unprivileged user to read sensitive information from a privileged user's Claude response, potentially containin...
CVE-2026-55607
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor...
CVE-2026-46406
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable...
CVE-2026-55607
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor...
EUVD-2026-40117
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor...
CVE-2026-55607 Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor...
EUVD-2026-40116
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable...
CVE-2026-46406
CVE-2026-46406 affects @anthropic-ai/claude-code versions 2.1.59 through 2.1.128. The /copy command writes responses to a hardcoded, predictable path (/tmp/claude/response.md) with UID isolation, randomness, and symlink protections missing. The file is world-readable (0644) in a world-traversable...
CVE-2026-46406 Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable...
PYSEC-2026-418 MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...
PT-2026-52680
Name of the Vulnerable Software and Affected Versions Claude Code versions 2.1.38 through 2.1.162 Description Claude Code's worktree handling allows the creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By...
GHSA-4VP2-6Q8C-PVQ2 @anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
The Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable directory 0755, allowing any local user to read a privileged user's Clau...
Insecure Temporary File
Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Insecure Temporary File via the...
CVE-2026-54316
Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject ...
CVE-2026-54316
Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject ...
CVE-2026-54316 Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject ...