Product
A vulnerability exists in claude-code-cache-fix versions 3.5.0 and 3.5.1 where the `tools/quota-statusline.sh` script interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal, allowing local code execution via Python triple-quote injection (CVE-2026-45136).