CVE-2026-54316

Claude Code exposed an out-of-band data exfiltration risk due to pre-approved huggingface.co as a bare hostname for WebFetch in versions 0.2.54–2.1.163. An attacker who could inject untrusted content into a Claude Code context could force WebFetch to access attacker-controlled model repos (e.g., ...