CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44470 – Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
https://notcve.org/view.php?id=CVE-2026-44470
13 May 2026 — The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the ser... • https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-269: Improper Privilege Management •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44467 – Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remote Sessions
https://notcve.org/view.php?id=CVE-2026-44467
13 May 2026 — The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote de... • https://github.com/anthropics/claude-code/security/advisories/GHSA-3rwf-2g6p-c2f9 • CWE-297: Improper Validation of Certificate with Host Mismatch CWE-322: Key Exchange without Entity Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-21852 – Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
https://notcve.org/view.php?id=CVE-2026-21852
21 Jan 2026 — Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaki... • https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 • CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66032 – Claude Code Command Validation Bypass Allows Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2025-66032
03 Dec 2025 — Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93. • https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64755 – @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
https://notcve.org/view.php?id=CVE-2025-64755
21 Nov 2025 — Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31. • https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-65099 – Claude Code vulnerable to command execution prior to startup trust dialog
https://notcve.org/view.php?id=CVE-2025-65099
19 Nov 2025 — Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39. • https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59829 – Claude Code: Permission deny bypass is possible through symlink
https://notcve.org/view.php?id=CVE-2025-59829
03 Oct 2025 — Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. • https://github.com/anthropics/claude-code/security/advisories/GHSA-66m2-gx93-v996 • CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59536 – Claude Code's startup trust dialog could lead to Command Execution attack
https://notcve.org/view.php?id=CVE-2025-59536
03 Oct 2025 — Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. • https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59828 – Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
https://notcve.org/view.php?id=CVE-2025-59828
24 Sep 2025 — Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. • https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59041 – Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
https://notcve.org/view.php?id=CVE-2025-59041
10 Sep 2025 — Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the workspace trust dialog. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version. • https://github.com/anthropics/claude-code/security/advisories/GHSA-j4h9-wv2m-wrf7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •