CVE-2026-31862
published 2026-03-11CVE-2026-31862: Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API…
PriorityP358high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.44%
34.9th percentile
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloudcli | cloud_cli | < 1.24.0 | 1.24.0 |
| siteboon | claudecodeui | < 1.24.0 | 1.24.0 |
| siteboon | claudecodeui | >= 0 < 1.24.0 | 1.24.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
ghsa·2026-03-11
CVE-2026-31862 [CRITICAL] CWE-77 @siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
### Summary
Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.
### Details
The claudecodeui application provides Git integration through various API endpoints. These endpoints accept user-controlled parameters such as file paths, branch names, commit messages, and commit hashes, which are directly interpolated into shell command strings passed to execAsync().
The application attempts to escape double quotes in some parameters, but this protection is trivially bypassable using other shell metacharacters such as:
Command substitution: $(command) or \`c
OSV
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
osv·2026-03-11
CVE-2026-31862 [CRITICAL] @siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
### Summary
Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.
### Details
The claudecodeui application provides Git integration through various API endpoints. These endpoints accept user-controlled parameters such as file paths, branch names, commit messages, and commit hashes, which are directly interpolated into shell command strings passed to execAsync().
The application attempts to escape double quotes in some parameters, but this protection is trivially bypassable using other shell metacharacters such as:
Command substitution: $(command) or \`c
No detection rules found.
No public exploits indexed.
2026-03-11
Published