Main Vulnerability Database Vulnerabilities #VU128513

OS Command Injection in Claude Code - CVE-2026-25723

Published: April 30, 2026

Vulnerability identifier: #VU128513

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-25723

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Claude Code

Software vendor:
Anthropic

Description

The vulnerability allows a remote attacker to execute arbitrary commands and write files outside intended restrictions.

The vulnerability exists due to command injection in the piped sed command handling in Claude Code when processing commands that use piped sed operations with the echo command. A remote attacker can send a specially crafted command to execute arbitrary commands and write files outside intended restrictions.

Exploitation requires the ability to execute commands through Claude Code with the "accept edits" feature enabled.

Remediation

Install security update from vendor's website.

External links

https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4

OS Command Injection in Claude Code - CVE-2026-25723

Description

Remediation

External links

Please verify you're human