Skip to main content

Claude Code

24 CVEs product

Monthly

CVE-2026-55607 HIGH PATCH This Week

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is realistic since it only requires a user to clone and open a booby-trapped repo; it is fixed in 2.1.163.

Path Traversal RCE Claude Code
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.7%
CVE-2026-39861 npm HIGH POC PATCH GHSA This Week

Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting symlink handling between sandboxed and unsandboxed processes, potentially leading to code execution. The vulnerability requires prompt injection to trigger malicious sandboxed code execution, creating an exploitable chain where neither component can independently breach the sandbox but their interaction does. EPSS score of 0.08% (23rd percentile) suggests limited real-world exploitation likelihood, and CISA SSVC indicates no known exploitation with non-automatable attack requirements. Version 2.1.64 patches this issue, auto-deployed to standard installations.

Path Traversal RCE Claude Code
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-35022 CRITICAL POC Act Now

OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. The vulnerability enables credential theft and environment variable exfiltration in CI/CD pipelines where these tools run with elevated automation privileges. Publicly available exploit code exists, creating immediate risk for organizations using these SDKs in automated workflows.

Command Injection Claude Code Claude Agent Sdk For Python
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-35021 HIGH POC This Week

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution via malicious file paths containing shell metacharacters. Local attackers can exploit POSIX shell command substitution within double-quoted strings to execute commands with user privileges. Publicly available exploit code exists. With CVSS 8.4 (High) and local attack vector requiring user interaction, this represents elevated risk in CI/CD pipelines and development environments where untrusted file paths may be processed.

Command Injection Claude Code Claude Agent Sdk For Python
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-35020 HIGH POC This Week

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbitrary commands by poisoning the TERMINAL environment variable with shell metacharacters. The vulnerability affects both normal CLI operations and deep-link handlers, enabling privilege escalation to the user context running the CLI. Publicly available exploit code exists. With CVSS 8.6 (High) severity, this presents significant risk in CI/CD pipelines and developer environments where environment variables may be attacker-controlled.

Command Injection Claude Code Claude Agent Sdk For Python
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-25725 npm CRITICAL PATCH Act Now

Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.

Privilege Escalation Code Injection RCE Docker Linux +2
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-25724 npm LOW PATCH Monitor

Claude Code versions prior to 2.1.7 allow unauthorized file access by bypassing deny rules through symbolic link traversal, enabling attackers to read restricted files that administrators explicitly blocked. An attacker with access to the system can exploit this vulnerability to access sensitive files like /etc/passwd by leveraging symlinks that point to denied resources. This vulnerability affects AI/ML tools using Claude Code and currently has no available patch.

Information Disclosure Claude Code
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-25723 npm MEDIUM PATCH This Month

Claude Code versions prior to 2.0.55 insufficiently validate piped sed commands, permitting authenticated users to circumvent file write protections and deposit files in restricted directories including .claude folders and locations outside project scope. An attacker with access to the "accept edits" feature can exploit this to write malicious content to sensitive areas of the system. A patch is available in version 2.0.55 and later.

Code Injection AI / ML Claude Code
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-25722 npm CRITICAL PATCH Act Now

Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to inject commands through tool responses.

Code Injection AI / ML Claude Code
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-24887 npm HIGH POC PATCH This Week

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.

Command Injection AI / ML Claude Code
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24053 npm MEDIUM PATCH This Month

Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.

Path Traversal AI / ML Claude Code
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24052 npm HIGH PATCH This Week

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.

Python AI / ML Claude Code
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-21852 npm HIGH POC PATCH This Week

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

Authentication Bypass AI / ML Claude Code
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-66032 npm CRITICAL POC PATCH Act Now

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.

Command Injection RCE Claude Code
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-64755 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-65099 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
CVSS 4.0
7.7
EPSS
0.2%
CVE-2025-59829 npm MEDIUM PATCH This Month

A security vulnerability in Claude Code (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Claude Code
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-59536 npm HIGH POC PATCH This Week

Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

RCE Code Injection Claude Code
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-59828 npm HIGH PATCH This Week

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Claude Code
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-59041 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-58764 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-55284 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-54795 npm HIGH POC PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-54794 npm HIGH POC PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Canonical Path Traversal Claude Code
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is realistic since it only requires a user to clone and open a booby-trapped repo; it is fixed in 2.1.163.

Path Traversal RCE Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting symlink handling between sandboxed and unsandboxed processes, potentially leading to code execution. The vulnerability requires prompt injection to trigger malicious sandboxed code execution, creating an exploitable chain where neither component can independently breach the sandbox but their interaction does. EPSS score of 0.08% (23rd percentile) suggests limited real-world exploitation likelihood, and CISA SSVC indicates no known exploitation with non-automatable attack requirements. Version 2.1.64 patches this issue, auto-deployed to standard installations.

Path Traversal RCE Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. The vulnerability enables credential theft and environment variable exfiltration in CI/CD pipelines where these tools run with elevated automation privileges. Publicly available exploit code exists, creating immediate risk for organizations using these SDKs in automated workflows.

Command Injection Claude Code Claude Agent Sdk For Python
NVD VulDB
EPSS 0% CVSS 8.4
HIGH POC This Week

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution via malicious file paths containing shell metacharacters. Local attackers can exploit POSIX shell command substitution within double-quoted strings to execute commands with user privileges. Publicly available exploit code exists. With CVSS 8.4 (High) and local attack vector requiring user interaction, this represents elevated risk in CI/CD pipelines and development environments where untrusted file paths may be processed.

Command Injection Claude Code Claude Agent Sdk For Python
NVD VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbitrary commands by poisoning the TERMINAL environment variable with shell metacharacters. The vulnerability affects both normal CLI operations and deep-link handlers, enabling privilege escalation to the user context running the CLI. Publicly available exploit code exists. With CVSS 8.6 (High) severity, this presents significant risk in CI/CD pipelines and developer environments where environment variables may be attacker-controlled.

Command Injection Claude Code Claude Agent Sdk For Python
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.

Privilege Escalation Code Injection RCE +4
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Claude Code versions prior to 2.1.7 allow unauthorized file access by bypassing deny rules through symbolic link traversal, enabling attackers to read restricted files that administrators explicitly blocked. An attacker with access to the system can exploit this vulnerability to access sensitive files like /etc/passwd by leveraging symlinks that point to denied resources. This vulnerability affects AI/ML tools using Claude Code and currently has no available patch.

Information Disclosure Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Claude Code versions prior to 2.0.55 insufficiently validate piped sed commands, permitting authenticated users to circumvent file write protections and deposit files in restricted directories including .claude folders and locations outside project scope. An attacker with access to the "accept edits" feature can exploit this to write malicious content to sensitive areas of the system. A patch is available in version 2.0.55 and later.

Code Injection AI / ML Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to inject commands through tool responses.

Code Injection AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.

Command Injection AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.

Path Traversal AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.

Python AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

Authentication Bypass AI / ML Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.

Command Injection RCE Claude Code
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A security vulnerability in Claude Code (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Claude Code
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Claude Code
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
EPSS 0% CVSS 7.7
HIGH POC PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Canonical Path Traversal Claude Code
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy