Description
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.
Published: 2026-05-18
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an insecure handling of the COMSPEC environment variable. When claude-hud performs a version check, it spawns a child process via execFile. If COMSPEC has been set to an arbitrary path, the spawned process will execute that binary with cmd.exe arguments. This enables a local attacker to run any command with the privileges of the claude-hud process, effectively achieving arbitrary command execution. The weakness is a form of insecure environment variable usage (CWE-427).

Affected Systems

The affected product is the open‑source Claude HUD project hosted by jarrodwatts. Versions up to and including 0.0.12 are vulnerable. The issue exists only on Windows platforms where the COMSPEC variable is available. The bug was fixed in commit 234d9aa, which removes the reliance on COMSPEC during the startup routine. Only installations of 0.0.12 or earlier that have not applied the patch remain at risk.

Risk and Exploitability

The CVSS base score for this vulnerability is 7.3, indicating a high severity. No EPSS data is publicly available, and the vulnerability is not listed in CISA’s KEV catalog, but it can be exploited by any local user with read/write access to the system where claude-hud runs. Because the flaw involves environment variable manipulation, an attacker needs nothing beyond setting COMSPEC before the application launches. Prompt remediation is strongly recommended.

Generated by OpenCVE AI on May 18, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 0.0.12 that includes the fix, or apply the patch commit 234d9aa to remove dependence on COMSPEC during startup.
  • Ensure that the COMSPEC environment variable is unset or set only to the system default before launching claude-hud, preventing accidental execution of malicious binaries.
  • Maintain a regular patch management process to monitor the project’s repository for security updates and incorporate them into deployment pipelines, thereby avoiding similar local exploitation vectors.

Generated by OpenCVE AI on May 18, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.
Title Claude HUD 0.0.12 Arbitrary Command Execution via COMSPEC Environment Variable
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T19:46:48.302Z

Reserved: 2026-05-18T19:22:26.747Z

Link: CVE-2026-47092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-18T20:16:40.040

Modified: 2026-05-18T20:19:31.307

Link: CVE-2026-47092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T22:00:12Z

Weaknesses