Skip to main content

Claude Mem

1 CVEs product

Monthly

CVE-2026-11330 LOW PATCH Monitor

Hash collision via field-boundary ambiguity in thedotmack/claude-mem through 11.0.1 allows a local low-privilege attacker to cause two semantically distinct observation records to produce identical content hashes, corrupting the SQLite-backed deduplication and integrity logic. The root cause is delimiter-free concatenation of three input fields in `computeObservationContentHash`, meaning different distributions of characters across `memorySessionId`, `title`, and `narrative` yield the same hash input and thus the same digest. No public exploit exists and exploitation is not confirmed actively in the wild; vendor-released fix version 12.0.0 is available.

Information Disclosure Claude Mem
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Hash collision via field-boundary ambiguity in thedotmack/claude-mem through 11.0.1 allows a local low-privilege attacker to cause two semantically distinct observation records to produce identical content hashes, corrupting the SQLite-backed deduplication and integrity logic. The root cause is delimiter-free concatenation of three input fields in `computeObservationContentHash`, meaning different distributions of characters across `memorySessionId`, `title`, and `narrative` yield the same hash input and thus the same digest. No public exploit exists and exploitation is not confirmed actively in the wild; vendor-released fix version 12.0.0 is available.

Information Disclosure Claude Mem
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy