CVE-2026-40068

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Co...

CVE-2026-40068 Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Co...

CVE-2026-40068 Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Co...

EUVD-2026-27502

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Co...

Claude Code 输入验证错误漏洞

Claude Code is a native AI programming tool developed by Anthropic. In versions 2.1.63 to 2.1.83 of Claude Code, there is a vulnerability related to input validation errors. This vulnerability arises from the lack of validation for the content of the git worktree commondir file in the folder trus...

Threatswarm

27 scope-enforced AI agents that run the full pentest kill-cha...

@netlify/agent-runner-cli (>=1.83.1 <=1.94.0-netlifydb.4), feishu-claude-bot (=0.1.0) +1 more potentially affected by CVE-2026-40068 via @anthropic-ai/claude-code (>=2.1.63 <=2.1.81)

@anthropic-ai/claude-code NPM version =2.1.63, =1.83.1, =1.2.2, =1.2.3 Source cves: CVE-2026-40068 Source advisory: SNYK:JS-ANTHROPICAICLAUDECODE-16301567...

@netlify/agent-runner-cli (>=1.83.1 <=1.94.0-netlifydb.4), feishu-claude-bot (=0.1.0) +1 more potentially affected by CVE-2026-40068 via @anthropic-ai/claude-code (>=2.1.63 <=2.1.81)

@anthropic-ai/claude-code NPM version =2.1.63, =1.83.1, =1.2.2, =1.2.3 Source cves: CVE-2026-40068 Source advisory: OSV:GHSA-Q5HJ-MXQH-VV77...

Arbitrary Command Injection

Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Arbitrary Command Injection via...

GHSA-Q5HJ-MXQH-VV77 Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution

Claude Code used the git worktree commondir file when determining folder trust but did not validate its contents. By crafting a repository with a commondir file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks...

coordinated-disclosure

coordinated-disclosure A Claude Code skill + plugin marketpla...

PT-2026-37099

Name of the Vulnerable Software and Affected Versions Claude Code versions 2.1.63 through 2.1.83 Description The folder trust determination logic fails to validate the contents of the git worktree commondir file. An attacker can craft a malicious repository with a commondir file pointing to a pat...

Anthropic Claude Code < 2.1.64 Sandbox Escape via Symlink Following (CVE-2026-39861)

The version of Anthropic Claude Code installed on the remote host is prior to 2.1.64. It is, therefore, affected by a sandbox escape vulnerability. - Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code...

1shot (>=0.0.1 <=0.0.9), @3030-labs/wotw (=0.8.4) +373 more potentially affected by CVE-2026-39861 via @anthropic-ai/claude-code (>=0.2.126 <=2.1.63)

@anthropic-ai/claude-code NPM version =0.2.126, =0.0.1, =1.0.0, =2.1.0, =0.0.0-dev-20260312143810, =1.5.6, =0.1.18, =1.0.0, =0.4.0, =0.11.0 and more Source cves: CVE-2026-39861 Source advisory: OSV:GHSA-VP62-R36R-9XQP...

1shot (>=0.0.1 <=0.0.2), @3030-labs/wotw (=0.8.4) +178 more potentially affected by CVE-2026-39861 via @anthropic-ai/claude-code (>=2.0.0 <=2.1.63)

@anthropic-ai/claude-code NPM version =2.0.0, =0.0.1, =2.1.0, =0.0.0-dev-20260312143810, =1.5.6, =0.0.0-main-260517022600, =0.0.0-main-260517043948, =0.2.5, =4.10.0, =2.1.2, =3.0.2 - @chude/memory =4.0.0 and more Source cves: CVE-2026-39861 Source advisory: SNYK:JS-ANTHROPICAICLAUDECODE-16191021...

EUVD-2026-24033

Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace...

UNIX Symbolic Link (Symlink) Following

Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink...

CVE-2026-39861

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the...

CVE-2026-39861 Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the...

CVE-2026-39861 Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the...