cbcvebase.

Siteboon Claudecodeui vulnerabilities

3 known vulnerabilities affecting siteboon/claudecodeui.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2

Vulnerabilities

Page 1 of 1
CVE-2026-31975P2CRITICALCVSS 9.8fixed in 1.25.02026-03-11
CVE-2026-31975 [CRITICAL] CWE-78 CVE-2026-31975: Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Ge Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload and interpolated into a bash command string without any sanitization, en
nvd
CVE-2026-31861P2HIGHCVSS 8.8fixed in 1.24.02026-03-11
CVE-2026-31861 [HIGH] CWE-94 CVE-2026-31861: Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Ge Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). The input is placed within double quotes and only " is
nvd
CVE-2026-31862P3HIGHCVSS 8.8fixed in 1.24.02026-03-11
CVE-2026-31862 [HIGH] CWE-78 CVE-2026-31862: Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Ge Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability i
ghsanvdosv
Siteboon Claudecodeui vulnerabilities | cvebase