CVE-2026-47090

Source
https://cve.org/CVERecord?id=CVE-2026-47090
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47090.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47090
Published
2026-05-18T19:31:33.193Z
Modified
2026-07-15T01:49:08.537009347Z
Severity
  • 2.4 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Claude HUD 0.0.12 Terminal Injection via OSC 8 Hyperlinks
Details

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-150"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47090.json"
}
References

Affected packages

Git / github.com/jarrodwatts/claude-hud

Affected ranges

Type
GIT
Repo
https://github.com/jarrodwatts/claude-hud
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.0.12"
        }
    ],
    "cpe": "cpe:2.3:a:jarrodwatts:claude_hud:*:*:*:*:*:claude_code:*:*"
}

Affected versions

v0.*
v0.0.10
v0.0.12
v0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47090.json"