CVE-2026-31861

• Entity ID: ent-20260419-a1b2c3d4e505
• Type: issue
• Scope: shared
• Status: active
• Aliases: @siteboon/claude-code-ui injection

Description

CVSS 8.8 command injection in the @siteboon/claude-code-ui adjacent-tooling package: user-supplied Git config values are interpolated into child_process.exec() inside double quotes, enabling arbitrary command execution. Documents that the CWE-78 pattern has spread into the Claude Code ecosystem beyond the core CLI itself. Unpatched as of April 5, 2026.

Key claims

• none yet

Relations

• CVE-2026-31861 --[related_to]--> Claude Code

Sources

src-20260409-f5e09e325670