CVE-2026-47090

4.6 MEDIUM
Published: May 18, 2026 Modified: June 02, 2026
View on NVD

Description

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30
Source: disclosure@vulncheck.com
Patch
https://github.com/jarrodwatts/claude-hud/issues/485
Source: disclosure@vulncheck.com
Issue Tracking
https://github.com/jarrodwatts/claude-hud/pull/487
Source: disclosure@vulncheck.com
Issue Tracking Patch
https://www.vulncheck.com/advisories/claude-hud-terminal-injection-via-osc-8-hyperlinks
Source: disclosure@vulncheck.com
Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.6 / 10.0
EPSS (Exploit Probability)
0.1%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-150

Affected Vendors

jarrodwatts

Related CVEs

CVE-2026-48777 N/A
CVE-2026-47750 7.8
CVE-2026-47747 7.8
CVE-2026-46448 5.4
CVE-2026-22313 9.1