High severity7.8GHSA Advisory· Published May 27, 2026· Updated Jun 2, 2026
CVE-2026-45136
CVE-2026-45136
Description
claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
claude-code-cache-fixnpm | >= 3.5.0, < 3.5.2 | 3.5.2 |
Affected products
2- Range: >= 3.5.0, < 3.5.2
Patches
Vulnerability mechanics
References
6- github.com/cnighswonger/claude-code-cache-fix/pull/110nvdIssue TrackingPatchWEB
- github.com/cnighswonger/claude-code-cache-fix/issues/108nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-g3xq-3gmv-qq8gghsaADVISORY
- github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8gnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-45136ghsaADVISORY
- github.com/cnighswonger/claude-code-cache-fix/commit/613e4df30547f3e6baf32d161eddc828f171da17ghsaWEB
News mentions
0No linked articles in our index yet.