EUVD-2026-19440
GHSA-72p2-f44p-v65f
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.
Analysis
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution via malicious file paths containing shell metacharacters. Local attackers can exploit POSIX shell command substitution within double-quoted strings to execute commands with user privileges. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Claude Code CLI and Claude Agent SDK for Python; identify which versions are deployed and which development/CI teams use these tools. Within 7 days: Implement input validation to sanitize file paths before passing to Claude tools, restrict Claude CLI usage to trusted input sources only, and enforce principle of least privilege for service accounts running these tools in CI/CD. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today