Description
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.
Published: 2026-03-11
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Cloud CLI (Claude Code UI) allows authenticated attackers to execute arbitrary OS commands through command injection. The vulnerability arises because multiple Git‑related API endpoints use execAsync() with string interpolation of user‑controlled parameters (file, branch, message, commit). This is a classic CWE‑78 vulnerability leading to Remote Code Execution.

Affected Systems

The affected product is the Siteboon Cloud CLI (Claude Code UI) before version 1.24.0. The vulnerability is present in all releases prior to the 1.24.0 release, as documented by the vendor.

Risk and Exploitability

The CVSS score is 9.1, indicating a critical severity. The EPSS score is below 1 %, suggesting low exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication and access to the Git API endpoints, and the attack vector is via application‑level functionality rather than network‑level exploits.

Generated by OpenCVE AI on March 17, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Cloud CLI version 1.24.0 or later, which removes the affected execAsync calls.

Generated by OpenCVE AI on March 17, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2fc-vc88-6w7q @siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
History

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudcli
Cloudcli cloud Cli
CPEs cpe:2.3:a:cloudcli:cloud_cli:*:*:*:*:*:*:*:*
Vendors & Products Cloudcli
Cloudcli cloud Cli

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Siteboon
Siteboon claudecodeui
Vendors & Products Siteboon
Siteboon claudecodeui

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.
Title Cloud CLI has Command Injection via Multiple Parameters
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Cloudcli Cloud Cli
Siteboon Claudecodeui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:22:04.149Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31862

cve-icon Vulnrichment

Updated: 2026-03-12T14:21:59.501Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:25.073

Modified: 2026-03-17T19:04:29.000

Link: CVE-2026-31862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:18Z

Weaknesses