Claude HUD 0.0.12 Arbitrary Command Execution via COMSPEC Environment Variable

Advisories

Claude HUD 0.0.12 Arbitrary Command Execution via COMSPEC Environment Variable

severity: high
date: 5/18/2026
Affecting: Claude HUD <= 0.0.12, patched in commit 234d9aa
CVE: CVE-2026-47092
CWE: CWE-427 Uncontrolled Search Path Element
CVSS: 7.3
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GitHub Issue
Pull Request
Patch Commit
Credit: Katriel Moses
Description: Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo