Is there a patch available for EUVD-2026-30801?

Yes, a patch is available for EUVD-2026-30801. Update the affected software to the latest version immediately.

Claude Hud EUVD-2026-30801

Q: What is the CVSS score of EUVD-2026-30801?

EUVD-2026-30801 has a CVSS 4.0 base score of 2.4 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-47090 LOW

Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)

2026-05-18 VulnCheck

GHSA-f378-wf84-8j5h

RCE Claude Hud

2.4

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 20:31 vuln.today

Analysis Generated

May 18, 2026 - 20:31 vuln.today

Severity Changed

May 18, 2026 - 20:22 NVD

MEDIUM LOW

CVSS changed

May 18, 2026 - 20:22 NVD

4.6 (MEDIUM) 2.4 (LOW)

DescriptionNVD

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked.

AnalysisAI

Terminal injection in Claude HUD through version 0.0.12 allows an attacker who controls a Git branch name or working directory path to embed arbitrary ANSI escape sequences into terminal sessions via unsanitized OSC 8 hyperlink construction. When a user runs Claude HUD in an affected terminal emulator and clicks a rendered project or branch hyperlink, injected sequences—including OSC 52 clipboard writes and forged prompts—are processed by the terminal. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30801 vulnerability details – vuln.today

Back