Vendor CVEs
Anthropic
All CVEs
39 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39861 | Cri | 0.65 | 10.0 | 0.01 | Apr 21, 2026 | Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed… | ||
| CVE-2026-0757 | Hig | 0.57 | 8.8 | 0.01 | Jan 23, 2026 | MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability… | ||
| CVE-2025-52882 | Hig | 0.57 | — | 0.00 | Jun 24, 2025 | Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting… | ||
| CVE-2026-44470 | Hig | 0.51 | 7.8 | 0.00 | May 13, 2026 | The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real… | ||
| CVE-2026-22561 | Hig | 0.51 | 7.8 | 0.00 | Mar 31, 2026 | Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation,… | ||
| CVE-2026-40068 | Hig | 0.50 | 8.8 | 0.00 | May 5, 2026 | In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted,… | ||
| CVE-2026-55607 | imp | 0.46 | 7.1 | — | Jun 29, 2026 | Claude Code: @anthropic-ai/claude-code: Claude Code: Arbitrary code execution through git directory confusion | ||
| CVE-2026-46406 | mod | 0.44 | 6.8 | — | Jun 29, 2026 | @anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command | ||
| CVE-2026-44467 | Med | 0.44 | 6.8 | 0.00 | May 13, 2026 | The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without… | ||
| CVE-2026-35603 | Hig | 0.40 | 7.3 | 0.00 | Apr 17, 2026 | Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData… | ||
| CVE-2026-41686 | Med | 0.29 | 4.4 | 0.00 | May 4, 2026 | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the… | ||
| CVE-2026-34451 | Med | 0.28 | 5.4 | 0.00 | Mar 31, 2026 | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix… | ||
| CVE-2026-34452 | Med | 0.27 | 5.3 | 0.00 | Mar 31, 2026 | The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory… | ||
| CVE-2026-34450 | Med | 0.22 | 4.4 | 0.00 | Mar 31, 2026 | The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a… | ||
| CVE-2025-66479 | Low | 0.05 | — | 0.00 | Dec 4, 2025 | Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a… | ||
| CVE-2026-7574 | 0.00 | — | 0.00 | Jun 23, 2026 | Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at… | |||
| CVE-2026-54316 | 0.00 | — | 0.00 | Jun 17, 2026 | Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker… | |||
| CVE-2026-35022 | 0.00 | — | 0.01 | Apr 6, 2026 | Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the -p flag behavior is documented in Anthropic's claude -h output with an explicit warning that non-interactive mode should only be used in trusted directories, making… | |||
| CVE-2026-35021 | 0.00 | — | 0.00 | Apr 6, 2026 | Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the affected code path cannot be triggered through normal usage of Claude Code. | |||
| CVE-2026-35020 | 0.00 | — | 0.00 | Apr 6, 2026 | Rejected reason: This CVE ID has been rejected by the its CVE Numbering Authority (CNA). It was determined that the attack requires an attacker to already control arbitrary environment variables, a level of access they consider functionally equivalent to code execution and… | |||
| CVE-2026-33068 | 0.00 | — | 0.00 | Mar 20, 2026 | Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set… | |||
| CVE-2026-25725 | 0.00 | — | 0.00 | Feb 6, 2026 | Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and… | |||
| CVE-2026-25724 | 0.00 | — | 0.00 | Feb 6, 2026 | Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude… | |||
| CVE-2026-25723 | 0.00 | — | 0.00 | Feb 6, 2026 | Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories… | |||
| CVE-2026-25722 | 0.00 | — | 0.00 | Feb 6, 2026 | Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to… | |||
| CVE-2026-24887 | 0.00 | — | 0.01 | Feb 3, 2026 | Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to… | |||
| CVE-2026-24053 | 0.00 | — | 0.00 | Feb 3, 2026 | Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting… | |||
| CVE-2026-24052 | 0.00 | — | 0.00 | Feb 3, 2026 | Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org,… | |||
| CVE-2025-66032 | 0.00 | — | 0.01 | Dec 3, 2025 | Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability… | |||
| CVE-2025-64755 | 0.00 | — | 0.00 | Nov 21, 2025 | Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31. | |||
| CVE-2025-65099 | 0.00 | — | 0.00 | Nov 19, 2025 | Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would… | |||
| CVE-2025-59829 | 0.00 | — | 0.00 | Oct 3, 2025 | Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude… | |||
| CVE-2025-59536 | 0.00 | — | 0.30 | Oct 3, 2025 | Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog.… | |||
| CVE-2025-59828 | 0.00 | — | 0.00 | Sep 24, 2025 | Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be… | |||
| CVE-2025-59041 | 0.00 | — | 0.01 | Sep 10, 2025 | Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the… | |||
| CVE-2025-58764 | 0.00 | — | 0.01 | Sep 10, 2025 | Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted… | |||
| CVE-2025-55284 | 0.00 | — | 0.00 | Aug 16, 2025 | Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation due to an overly broad allowlist of safe commands. Reliably… | |||
| CVE-2025-54794 | 0.00 | — | 0.01 | Aug 5, 2025 | Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the… | |||
| CVE-2025-54795 | 0.00 | — | 0.01 | Aug 5, 2025 | Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into… |
- risk 0.65cvss 10.0epss 0.01
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed…
- risk 0.57cvss 8.8epss 0.01
MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability…
- risk 0.57cvss —epss 0.00
Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting…
- risk 0.51cvss 7.8epss 0.00
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real…
- risk 0.51cvss 7.8epss 0.00
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation,…
- risk 0.50cvss 8.8epss 0.00
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted,…
- risk 0.46cvss 7.1epss —
Claude Code: @anthropic-ai/claude-code: Claude Code: Arbitrary code execution through git directory confusion
- risk 0.44cvss 6.8epss —
@anthropic-ai/claude-code: Claude Code: Information disclosure and file overwrite via insecure temporary file in /copy command
- risk 0.44cvss 6.8epss 0.00
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without…
- risk 0.40cvss 7.3epss 0.00
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData…
- risk 0.29cvss 4.4epss 0.00
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the…
- risk 0.28cvss 5.4epss 0.00
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix…
- risk 0.27cvss 5.3epss 0.00
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory…
- risk 0.22cvss 4.4epss 0.00
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a…
- risk 0.05cvss —epss 0.00
Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a…
- CVE-2026-7574Jun 23, 2026risk 0.00cvss —epss 0.00
Anthropic Claude Desktop Cowork VM image handling (confirmed across v1.1348.0 through v1.2278.0, including v1.1348.0, v1.1617.0, and v1.2278.0) validates only file presence and a version marker string before booting rootfs.img, but does not verify image content integrity at…
- CVE-2026-54316Jun 17, 2026risk 0.00cvss —epss 0.00
Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker…
- CVE-2026-35022Apr 6, 2026risk 0.00cvss —epss 0.01
Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the -p flag behavior is documented in Anthropic's claude -h output with an explicit warning that non-interactive mode should only be used in trusted directories, making…
- CVE-2026-35021Apr 6, 2026risk 0.00cvss —epss 0.00
Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the affected code path cannot be triggered through normal usage of Claude Code.
- CVE-2026-35020Apr 6, 2026risk 0.00cvss —epss 0.00
Rejected reason: This CVE ID has been rejected by the its CVE Numbering Authority (CNA). It was determined that the attack requires an attacker to already control arbitrary environment variables, a level of access they consider functionally equivalent to code execution and…
- CVE-2026-33068Mar 20, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set…
- CVE-2026-25725Feb 6, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and…
- CVE-2026-25724Feb 6, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude…
- CVE-2026-25723Feb 6, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories…
- CVE-2026-25722Feb 6, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to…
- CVE-2026-24887Feb 3, 2026risk 0.00cvss —epss 0.01
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to…
- CVE-2026-24053Feb 3, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting…
- CVE-2026-24052Feb 3, 2026risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org,…
- CVE-2025-66032Dec 3, 2025risk 0.00cvss —epss 0.01
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability…
- CVE-2025-64755Nov 21, 2025risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.
- CVE-2025-65099Nov 19, 2025risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would…
- CVE-2025-59829Oct 3, 2025risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude…
- CVE-2025-59536Oct 3, 2025risk 0.00cvss —epss 0.30
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog.…
- CVE-2025-59828Sep 24, 2025risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be…
- CVE-2025-59041Sep 10, 2025risk 0.00cvss —epss 0.01
Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the…
- CVE-2025-58764Sep 10, 2025risk 0.00cvss —epss 0.01
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted…
- CVE-2025-55284Aug 16, 2025risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation due to an overly broad allowlist of safe commands. Reliably…
- CVE-2025-54794Aug 5, 2025risk 0.00cvss —epss 0.01
Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the…
- CVE-2025-54795Aug 5, 2025risk 0.00cvss —epss 0.01
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into…