High severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
Cloud CLI WebSocket shell injection
CVE-2026-31975
Description
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload and interpolated into a bash command string without any sanitization, enabling arbitrary OS command execution. A secondary injection vector exists via unsanitized sessionId. This vulnerability is fixed in 1.25.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@siteboon/claude-code-uinpm | < 1.25.0 | 1.25.0 |
Affected products
2- siteboon/claudecodeuiv5Range: < 1.25.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-gv8f-wpm2-m5wrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31975ghsaADVISORY
- github.com/siteboon/claudecodeui/commit/12e7f074d9563b3264caf9cec6e1b701c301af26ghsax_refsource_MISCWEB
- github.com/siteboon/claudecodeui/releases/tag/v1.25.0ghsax_refsource_MISCWEB
- github.com/siteboon/claudecodeui/security/advisories/GHSA-gv8f-wpm2-m5wrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.