QSearchQSearch

CVE-2026-47090

4.6 MEDIUM

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl va...

Published: 2026-05-18 · Last updated: 2026-06-02

Severity and scoring

CVSS
4.6 MEDIUM
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-150

Affected products

VendorProduct
jarrodwattsclaude_hud

Description

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-47092 Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute a... (7.8 HIGH)
  • CVE-2026-47091 Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary fil... (3.3 LOW)

Same CWE

  • CVE-2026-9270 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections (9.1 CRITICAL)
  • CVE-2026-11362 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags (9.8 CRITICAL)
  • CVE-2026-45038 Tabby (formerly Terminus) is a highly configurable terminal emulator (7.8 HIGH)
  • CVE-2026-45803 `gh` is GitHub’s official command line tool (3.5 LOW)
  • CVE-2026-6019 http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context (6.1 MEDIUM)