CVE-2026-45136

7.8 HIGH

claude-code-cache-fix is a cache optimization proxy for Claude Code

Published: 2026-05-27 · Last updated: 2026-06-02

Severity and scoring

CVSS: 7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78, CWE-94

Affected products

Vendor	Product
cnighswonger	claude-code-cache-fix

Description

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45136
[Exploit reference]https://github.com/cnighswonger/claude-code-cache-fix/issues/108
[Patch]https://github.com/cnighswonger/claude-code-cache-fix/pull/110
[Vendor advisory]https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g
[Exploit reference]https://github.com/cnighswonger/claude-code-cache-fix/issues/108
[Vendor advisory]https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g

Related CVEs

Same CWE

CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
CVE-2026-24155 — NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)