Is there a public PoC exploit available for CVE-2026-7235?

Yes, a public proof-of-concept exploit is available for CVE-2026-7235. Prioritise patching immediately. EPSS: 0.0%.

claude-agent-sdk-master CVE-2026-7235

Q: What is the CVSS score of CVE-2026-7235?

CVE-2026-7235 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26007 MEDIUM

Path Traversal (CWE-22)

2026-04-28 VulDB

Path Traversal

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 28, 2026 - 20:31 vuln.today

Public exploit code

CVSS changed

Apr 28, 2026 - 08:22 NVD

5.3 (MEDIUM) 5.5 (MEDIUM)

Analysis Generated

Apr 28, 2026 - 08:00 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 07:30 euvd

EUVD-2026-26007

Analysis Generated

Apr 28, 2026 - 07:30 vuln.today

CVE Published

Apr 28, 2026 - 06:30 nvd

MEDIUM 5.5

DescriptionNVD

A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal vulnerability in ErlichLiu claude-agent-sdk-master allows remote unauthenticated attackers to read arbitrary files by manipulating the outputFile parameter in app/api/agent-output/route.ts. The vulnerability has a CVSS score of 5.3 (low integrity impact) and publicly available exploit code exists, though the project uses rolling releases and the maintainer has not yet responded to disclosure.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7235 vulnerability details – vuln.today

Back

claude-agent-sdk-master CVE-2026-7235

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

claude-agent-sdk-master CVE-2026-7235

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code