CVE-2026-35021

• Entity ID: ent-20260419-a1b2c3d4e503
• Type: issue
• Scope: shared
• Status: active
• Aliases: promptEditor.ts editor launch injection

Description

High-severity (CVSS 7.8) command injection in promptEditor.ts editor-launch path. Requires user interaction via the editor flow. Shares root cause with the other two Phoenix Security CVEs: user-controlled string interpolation into shell commands. Unpatched on v2.1.91 as of April 3, 2026.

Key claims

• All five known Claude Code CVEs share CWE-78 (OS command injection via unsanitized string interpolation)

Relations

• none yet

Sources

src-20260409-f5e09e325670