CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44470 – Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
https://notcve.org/view.php?id=CVE-2026-44470
13 May 2026 — The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the ser... • https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-269: Improper Privilege Management •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44467 – Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remote Sessions
https://notcve.org/view.php?id=CVE-2026-44467
13 May 2026 — The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote de... • https://github.com/anthropics/claude-code/security/advisories/GHSA-3rwf-2g6p-c2f9 • CWE-297: Improper Validation of Certificate with Host Mismatch CWE-322: Key Exchange without Entity Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-21852 – Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
https://notcve.org/view.php?id=CVE-2026-21852
21 Jan 2026 — Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaki... • https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64755 – @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
https://notcve.org/view.php?id=CVE-2025-64755
21 Nov 2025 — Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31. • https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •