HIGH
cnighswonger
CVE published 2026-05-27
CVE-2026-45136
A code injection vulnerability exists in claude-code-cache-fix versions 3.5.0 through 3.5.1. The tools/quota-statusline.sh script, introduced in version 3.5.0, interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal without proper sanitization. A ''' byte sequence in any user-controlled field of the payload can prematurely close the string literal, allowing subseq [truncated]