CVE-2025-15060 - Vulnerability Details

- claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability

Description

claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785.

Published: 2026-03-13

Score: 9.8 Critical

EPSS: 1.3% Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability resides in the executeClaudeCode method of claude‑hovercraft. The method fails to validate a user‑supplied string before passing it to a system call, allowing an attacker to inject arbitrary commands. Because authentication is not required, any network user can trigger the flaw. The impact is remote code execution on the server running the claude‑hovercraft service, with the privileges of the service account, mapping to CWE‑78. An attacker could install malware, exfiltrate data, or pivot to other systems.

Affected Systems

Affected vendors: claude‑hovercraft (product claude‑hovercraft). No exact version information is provided, so all releases containing the executeClaudeCode method may be vulnerable until a patch is issued.

Risk and Exploitability

The CVSS base score of 9.8 denotes critical severity, while the EPSS score of 2% indicates that automated exploitation is not widespread yet. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote and network‑based; an attacker can send a crafted request to the executeClaudeCode endpoint and force command execution without credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

claude-hovercraft

unknown

Version	Status	Constraints
`96e46a44f090b5b4359aec51bcd97354ffe8b17d`	affected	—

No data.

Vendor Product Confidence Versions

Claude-hovercraft

100%

Version	Status	Scheme	Platform
`96e46a44f090b5b4359aec51bcd97354ffe8b17d`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑supplied patch or upgrade to the latest version of claude‑hovercraft as soon as it becomes available.
If a patch is not yet available, restrict network access to the service or block unauthenticated traffic reaching the executeClaudeCode endpoint.
Monitor system logs for suspicious command execution or anomalous activity related to the executeClaudeCode functionality.
Check the vendor’s website or the referenced advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-124/) for updates or additional guidance.

Generated by OpenCVE AI on March 19, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01324.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-26-124/

History

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Claude-hovercraft Claude-hovercraft claude-hovercraft
Vendors & Products		Claude-hovercraft Claude-hovercraft claude-hovercraft

Fri, 13 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785.
Title		claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability
Weaknesses		CWE-78
References		https://www.zerodayinitiative.com/advisories/ZDI-26-124/
Metrics		cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Claude-hovercraft Claude-hovercraft

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-03-13T20:43:36.780Z

Updated: 2026-03-16T15:41:05.701Z

Reserved: 2025-12-23T20:39:36.859Z

Link: CVE-2025-15060

Vulnrichment

Updated: 2026-03-16T15:31:41.421Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:55.780

Modified: 2026-03-16T14:53:46.157

Link: CVE-2025-15060

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T13:39:34Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object