Main Vulnerability Database SB2026043032

SB2026043032 - OS Command Injection in Claude Code

Published: April 30, 2026

Security Bulletin ID SB2026043032

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2026-25723)

The vulnerability allows a remote attacker to execute arbitrary commands and write files outside intended restrictions.

The vulnerability exists due to command injection in the piped sed command handling in Claude Code when processing commands that use piped sed operations with the echo command. A remote attacker can send a specially crafted command to execute arbitrary commands and write files outside intended restrictions.

Exploitation requires the ability to execute commands through Claude Code with the "accept edits" feature enabled.

Remediation

Install update from vendor's website.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4