CVE-2026-47090
Claude HUD 0.0.12 Terminal Injection via OSC 8 Hyperlinks
CVSS Score
4.6
EPSS Score
0.0%
EPSS Percentile
0th
Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked.
| CWE | CWE-150 |
| Vendor | jarrodwatts |
| Product | claude-hud |
| Published | May 18, 2026 |
| Last Updated | May 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for jarrodwatts claude-hud
Be the first to know when new medium vulnerabilities affecting jarrodwatts claude-hud are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
jarrodwatts / claude-hud
0 โค 0.0.12
References
github.com: https://github.com/jarrodwatts/claude-hud/issues/485 github.com: https://github.com/jarrodwatts/claude-hud/pull/487 github.com: https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30 vulncheck.com: https://www.vulncheck.com/advisories/claude-hud-terminal-injection-via-osc-8-hyperlinks
Credits
Katriel Moses