CVE-2026-47090

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

CVE-2026-47090

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

CVE-2026-47090

Claude HUD up to version 0.0.12 is affected by a terminal-injection vulnerability in OSC 8 hyperlink handling. The root cause is constructing OSC 8 sequences from raw cwd and branchUrl values without stripping control characters or encoding embedded values, enabling injection of ANSI codes into t...

CVE-2026-47090 Claude HUD 0.0.12 Terminal Injection via OSC 8 Hyperlinks

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

CVE-2025-67746 Composer vulnerable to ANSI sequence injection

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and...

PT-2025-43997

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.60 through 8.5.100 Apache Tomcat versions 9.0.40 through 9.0.108 Apache Tomcat versions 10.1.0-M1 through 10.1.44 Apache Tomcat versions 11.0.0-M1 through 11.0.10 Description Tomcat did not properly handle ANSI escap...

@alancastro06/coolsolelog (=22.14.0), albot (>=0.1.0 <=0.14.1) +43 more potentially affected by unknown CVE via ansi-codes (>=0.0.0 <=2.0.0)

ansi-codes NPM version =0.0.0, =0.1.0, =0.0.10, =7.1.0, =0.0.8, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =1.0.0, =0.0.1, =0.0.0, =0.0.2 and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-14554...

Malicious code in ansi-codes (npm)

The package ansi-codes was found to contain malicious code...

MAL-2025-14554 Malicious code in ansi-codes (npm)

The package ansi-codes was found to contain malicious code...

Interactive `run` permission prompt spoofing via improper ANSI neutralization

Summary Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a opspawnchild or opkill prompt and replace it with any desired text. Details The main entry point comes down to the ability to override what the API control says 40process.js...

SUSE CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server or Man-in-The-Middle attacker can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This...

SUSE CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server or Man-in-The-Middle attacker can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred...

nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes

A regular expression denial of service ReDoS vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes...

VulnCheck KEV: CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server or Man-in-The-Middle attacker can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred...

DEBIAN-CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server or Man-in-The-Middle attacker can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred...

[SECURITY] New versions of ircII fixes security problem

David Holland has reported that a remote user may send arbitrary characters - ansi codes - to a users terminal. This is considered harmful. The following versions fix this problem. dpkg -i file.deb will install the referred file. Debian GNU/Linux 1.3.1 alias bo -------------------------------...