Which versions of Claude HUD are affected by EUVD-2026-30802?

Claude-hud on Windows allows local users with system access to escalate their privileges and execute arbitrary code through an environment variable handling flaw.. A patch is available.

Claude HUD EUVD-2026-30802

Q: What is the CVSS score of EUVD-2026-30802?

EUVD-2026-30802 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-47092 HIGH

Uncontrolled Search Path Element (CWE-427)

2026-05-18 VulnCheck

GHSA-p5qq-v9mc-39ff

RCE Command Injection Microsoft Claude Hud

7.3

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 20:30 vuln.today

Analysis Generated

May 18, 2026 - 20:30 vuln.today

CVSS changed

May 18, 2026 - 20:22 NVD

7.8 (HIGH) 7.3 (HIGH)

DescriptionNVD

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.

AnalysisAI

Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.

RemediationAI

Within 24 hours: Inventory all Windows systems running claude-hud versions ≤0.0.12; restrict local user access to these systems if immediate patching is not feasible. Within 7 days: Update all instances to the latest available patched version per jarrodwatts/claude-hud vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory