CVE-2026-47091 – Claude HUD 0.0.12 Path Traversal via transcript_path

CVE ID :CVE-2026-47091

Published : May 18, 2026, 8:16 p.m. | 41 minutes ago

Description :Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a persistent cache file with insufficient permissions, creating a forensic record of accessed paths that survives process exit.

Severity: 4.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…