CVE-2026-47092 – Claude HUD 0.0.12 Arbitrary Command Execution via COMSPEC Environment Variable

CVE ID :CVE-2026-47092

Published : May 18, 2026, 8:16 p.m. | 41 minutes ago

Description :Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.

Severity: 7.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-25244 – WebdriverIO has Command Injection in the BrowserStack Service

CVE-2026-4137 – Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory Permissions in mlflow/mlflow

CVE-2026-22810 – Joplin: Path traversal in OneNote importer allows overwriting arbitrary files

CVE-2026-47091 – Claude HUD 0.0.12 Path Traversal via transcript_path