AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-47092: Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attac

highvulnerability

security

Source: NVD/CVE DatabaseMay 18, 2026CVE-2026-47092

Summary

Claude HUD versions up to 0.0.12 contain a command injection vulnerability (a security flaw where an attacker can trick a program into running harmful commands) that affects Windows systems. An attacker with local access can manipulate the COMSPEC environment variable (a Windows setting that specifies which command interpreter to use) before the software checks its version, causing it to run malicious code with system permissions.

Solution / Mitigation

The vulnerability was patched in commit 234d9aa. Users should update to a version after 0.0.12 that includes this patch.

Vulnerability Details

CVSS Score

7.8(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

local

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

May 18, 2026

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

integrityconfidentiality

Taxonomy References

CWE (Weakness Type)

CWE-427

Affected Vendors

Anthropic

Related Issues

info

Secure AI agent access patterns to AWS resources using Model Context Protocol

Same vendorAWS Security Blog

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Same vendorTechCrunch

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-47092

First tracked: May 18, 2026 at 08:12 PM

Classified by LLM (prompt v3) · confidence: 85%