Main Vulnerability Database Vulnerabilities #VU128528

Code Injection in Claude Code - #VU128528

Published: April 30, 2026

Vulnerability identifier: #VU128528

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Claude Code

Software vendor:
Anthropic

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the startup trust warning mechanism when a user starts Claude Code in a new directory and approves the trust prompt. A remote attacker can place executable files in the folder to execute arbitrary code.

User interaction is required to approve the trust prompt.

Remediation

Install security update from vendor's website.

External links

https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6

Code Injection in Claude Code - #VU128528

Description

Remediation

External links

Please verify you're human