What is GHSA-p5qq-v9mc-39ff?

GHSA-p5qq-v9mc-39ff is a security advisory published by GitHub Security Advisories with High severity. Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability...

Which CVE IDs does GHSA-p5qq-v9mc-39ff cover?

GHSA-p5qq-v9mc-39ff covers the following CVE IDs: CVE-2026-47092. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-p5qq-v9mc-39ff?

GHSA-p5qq-v9mc-39ff has a CVSS v3 base score of 7.8, published by GitHub Security Advisories.

GHSA-p5qq-v9mc-39ffHighCVSS 7.8

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability...

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-47092 →

📋 Description

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-47092
https://github.com/jarrodwatts/claude-hud/issues/485
https://github.com/jarrodwatts/claude-hud/pull/487
https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30
https://www.vulncheck.com/advisories/claude-hud-arbitrary-command-execution-via-comspec-environment-variable
https://github.com/advisories/GHSA-p5qq-v9mc-39ff