A command injection vulnerability in Claude HUD through version 0.0.12 allows local attackers to execute arbitrary commands on Windows systems by manipulating the COMSPEC environment variable. The vulnerability exists because the application uses execFile() to invoke cmd.exe for version checks without properly validating or sanitizing the COMSPEC environment variable. An attacker with local access can set [truncated]
A path traversal vulnerability in Claude HUD through version 0.0.12 allows local attackers with low privileges to read arbitrary files readable by the process. The vulnerability stems from insufficient validation of the `transcript_path` parameter supplied via stdin JSON. Additionally, accessed file metadata is written to a persistent cache file with overly permissive permissions, creating a forensic reco [truncated]
CVE-2026-47090 describes a terminal escape sequence injection vulnerability in Claude HUD through version 0.0.12. The application constructs OSC 8 terminal hyperlink escape sequences using raw current working directory (cwd) and branchUrl values without sanitizing control characters or encoding embedded values. This allows attackers to inject arbitrary ANSI escape codes into terminal sessions by embedding [truncated]
