PatchSiren cyber security CVE debrief
CVE-2026-47092 jarrodwatts CVE debrief
A command injection vulnerability in Claude HUD through version 0.0.12 allows local attackers to execute arbitrary commands on Windows systems by manipulating the COMSPEC environment variable. The vulnerability exists because the application uses execFile() to invoke cmd.exe for version checks without properly validating or sanitizing the COMSPEC environment variable. An attacker with local access can set COMSPEC to point to an arbitrary executable path before Claude HUD performs its version check, causing the application to execute the attacker-supplied binary with cmd.exe arguments. This results in arbitrary code execution with the privileges of the Claude HUD process. The issue was patched in commit 234d9aa. The vulnerability is rated HIGH severity with a CVSS score of 7.3, reflecting the significant impact on confidentiality, integrity, and availability combined with relatively low attack complexity for local attackers.
- Vendor
- jarrodwatts
- Product
- claude-hud
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Organizations running Claude HUD on Windows systems, particularly in multi-user or shared environments where local attackers may have access. Security teams monitoring for environment variable manipulation attacks. Developers using Node.js execFile() or similar subprocess APIs on Windows platforms.
Technical summary
The vulnerability stems from insecure use of Node.js execFile() on Windows platforms. When execFile() is called with 'cmd.exe' as the executable, Windows resolves the command interpreter through the COMSPEC environment variable rather than a fixed path. An attacker can manipulate COMSPEC to point to a malicious executable before Claude HUD initiates its version check subprocess. The malicious executable receives the intended cmd.exe arguments (typically /c ver or similar), allowing arbitrary code execution. The fix in commit 234d9aa likely implements proper validation of the shell path or uses alternative methods that do not rely on COMSPEC resolution. This vulnerability is Windows-specific and requires local access to modify environment variables before process launch.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Claude HUD to version 0.0.13 or later which contains the patch in commit 234d9aa
- Audit Windows systems for unauthorized modifications to the COMSPEC environment variable
- Review application code for improper use of execFile() with shell execution on Windows
- Implement environment variable sanitization for COMSPEC and other sensitive variables before subprocess execution
- Apply principle of least privilege to Claude HUD process execution contexts
- Monitor for suspicious process executions where cmd.exe arguments are passed to unexpected binaries
Evidence notes
Vulnerability disclosed via Vulncheck advisory and GitHub issue/pull request. Patch commit 234d9aad919b51326a43bcf90b45ae35c23afc30 confirms fix. CWE-427 (Uncontrolled Search Path Element) classified as primary weakness. CVSS 4.0 vector indicates local attack vector with low attack complexity and high impact across confidentiality, integrity, and availability.
Official resources
2026-05-18