Main Vulnerability Database Vulnerabilities #VU128528

Code Injection in Claude Code - #VU128528

Published: April 30, 2026

Vulnerability identifier: #VU128528

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Anthropic

Affected software:
Claude Code

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the startup trust warning mechanism when a user starts Claude Code in a new directory and approves the trust prompt. A remote attacker can place executable files in the folder to execute arbitrary code.

User interaction is required to approve the trust prompt.

Remediation

Install security update from vendor's website.

Sources

https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6

Code Injection in Claude Code - #VU128528

Detailed vulnerability description

Remediation

Sources

Please verify you're human