Lucene search
K

326 matches found

Positive Technologies
Positive Technologies
added 2026/03/19 12:0 a.m.7 views

PT-2026-26297

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.1.53 Description Claude Code is an agentic coding tool that experienced a loading order issue in its settings loader. The software resolved the permission mode from settings files, such as the...

8.8CVSS5.8AI score0.00337EPSS
Exploits0References25
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.12 views

PT-2026-20516

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin method through the /objects/?module=saverestore endpoint without authentication because it uses gr'mode'...

9.8CVSS6.8AI score0.01086EPSS
Exploits4References3
Github Security Blog
Github Security Blog
added 2026/02/06 7:14 p.m.16 views

Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json

Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints,...

10CVSS5.6AI score0.00416EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/06 7:14 p.m.78 views

GHSA-FF64-7W26-62RF Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json

Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints,...

7.7CVSS5.6AI score0.00416EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/02/06 7:8 p.m.10 views

Claude Code has Permission Deny Bypass Through Symbolic Links

Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file such as /etc/passwd and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude...

7.5CVSS5.4AI score0.00376EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/06 7:8 p.m.7 views

GHSA-4Q92-RFM6-2CQX Claude Code has Permission Deny Bypass Through Symbolic Links

Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file such as /etc/passwd and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude...

2.3CVSS5.4AI score0.00376EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/06 7:4 p.m.11 views

Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions

Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this require...

7.7CVSS5.6AI score0.00264EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/06 7:2 p.m.4 views

GHSA-66Q4-VFJG-2QHH Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection

Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliabl...

7.7CVSS5.5AI score0.00357EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.5 views

PT-2026-6850

Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file such as /etc/passwd and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude...

2.3CVSS5.5AI score0.00376EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.17 views

PT-2026-6858

Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints,...

7.7CVSS5.7AI score0.00416EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.6 views

PT-2026-6853

Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliabl...

7.7CVSS5.6AI score0.00357EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/03 7:33 p.m.7 views

Claude Code has a Command Injection in find Command Bypasses User Approval Prompt

Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. Users on standard Claude...

8.8CVSS5.8AI score0.00562EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/02/03 7:33 p.m.3 views

GHSA-QGQW-H4XQ-7W8W Claude Code has a Command Injection in find Command Bypasses User Approval Prompt

Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. Users on standard Claude...

7.7CVSS5.8AI score0.00562EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/02/03 7:32 p.m.11 views

Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes

Due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a...

7.7CVSS5.5AI score0.00464EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.5 views

PT-2026-6464

Due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a...

7.7CVSS5.7AI score0.00464EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/01/29 3:26 a.m.7 views

CVE-2022-40620

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker suitably positioned on the network could intercept the update request and deliver a...

7.7CVSS6.4AI score0.00274EPSS
Exploits1References1
OSV
OSV
added 2026/01/21 1:0 a.m.21 views

GHSA-JH7P-QR78-84P7 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation

A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPICBASEURL...

5.3CVSS5.7AI score0.2297EPSS
Exploits2References3
EUVD
EUVD
added 2025/10/29 9:30 p.m.9 views

EUVD-2025-36719

memoQ 10.1.13.ef1b2b52aae and earlier contains an unquoted service path vulnerability in the memoQ Auto Update Service memoQauhlp101. The affected service is installed with a path containing spaces and without surrounding quotes. This misconfiguration allows local users to escalate privileges to...

6.1AI score0.00129EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/10/29 12:0 a.m.8 views

CVE-2025-60320

memoQ 10.1.13.ef1b2b52aae and earlier contains an unquoted service path vulnerability in the memoQ Auto Update Service memoQauhlp101. The affected service is installed with a path containing spaces and without surrounding quotes. This misconfiguration allows local users to escalate privileges to...

0.00129EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/10/29 12:0 a.m.5 views

PT-2025-44347

Name of the Vulnerable Software and Affected Versions memoQ versions 10.1.13.ef1b2b52aae and earlier Description memoQ versions 10.1.13.ef1b2b52aae and earlier contain an unquoted service path vulnerability in the memoQ Auto Update Service memoQauhlp101. The service is installed with a path...

6.7CVSS6.4AI score0.00129EPSS
Exploits0References7
Rows per page
Query Builder