CVE-2026-47090 jarrodwatts CVE debrief

Who should care

Organizations using Claude HUD for terminal-based development workflows; security teams monitoring supply chain risks in developer tools; terminal emulator users with OSC 8 and OSC 52 support enabled.

Technical summary

The vulnerability stems from improper neutralization of escape sequences (CWE-150) when constructing OSC 8 terminal hyperlinks. The application directly interpolates cwd and branchUrl values into escape sequences without encoding or sanitization, allowing injection of ESC (0x1B) and backslash (0x5C) characters that terminate the OSC 8 sequence and begin new escape sequences. Attack vectors include: (1) directory traversal into paths containing malicious sequences, (2) repository branch URLs with embedded escape codes, and (3) social engineering to induce hyperlink clicks. Impacts range from visual deception (forged prompts, color manipulation) to clipboard manipulation (OSC 52) and outbound network requests. The fix in commit 234d9aa implements proper encoding of hyperlink parameters.

Defensive priority

LOW

Recommended defensive actions

• Upgrade Claude HUD to a version incorporating commit 234d9aa or later
• Review terminal output handling code for proper sanitization of OSC 8 hyperlink parameters
• Implement input validation to strip or encode control characters in directory names and URLs before inclusion in terminal escape sequences
• Consider disabling OSC 8 hyperlink support in terminal emulators if not required
• Audit terminal emulator configurations for OSC 52 clipboard access restrictions
• Educate users about risks of clicking terminal hyperlinks from untrusted sources

Evidence notes

Vulnerability disclosed via Vulncheck advisory. Patch commit, issue #485, and pull request #487 documented in NVD references. CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) identified as primary weakness.

Official resources