{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/claude-hud--0.0.12/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-47092"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Claude HUD (\u003c= 0.0.12)"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","windows"],"_cs_type":"advisory","_cs_vendors":["VulnCheck"],"content_html":"\u003cp\u003eClaude HUD through version 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability (CVE-2026-47092). A local attacker can exploit this flaw by manipulating the COMSPEC environment variable. Specifically, the application performs a version check using \u003ccode\u003eexecFile()\u003c/code\u003e. If the attacker sets COMSPEC to an arbitrary binary path prior to this check, the attacker-supplied executable will be executed with cmd.exe arguments. This allows for arbitrary code execution on vulnerable Windows systems. This vulnerability matters to defenders because it allows an attacker to gain unauthorized access and control over affected systems, potentially leading to data breaches, system compromise, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to the target Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that Claude HUD version 0.0.12 or earlier is installed.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the COMSPEC environment variable to point to a malicious executable. For example, they might set \u003ccode\u003eCOMSPEC=C:\\evil\\malware.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the Claude HUD application, which initiates its version check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecFile()\u003c/code\u003e function is called to execute the version check. Due to the manipulated COMSPEC variable, the attacker-controlled executable (\u003ccode\u003eC:\\evil\\malware.exe\u003c/code\u003e in this example) is executed instead of the intended command.\u003c/li\u003e\n\u003cli\u003eThe malicious executable runs with the privileges of the user running Claude HUD.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this command injection vulnerability (CVE-2026-47092) allows a local attacker to execute arbitrary commands on the targeted Windows system. This can lead to a complete compromise of the system, including unauthorized access to sensitive data, installation of malware, or further lateral movement within the network. The NVD assigned this vulnerability a CVSS v3.1 score of 7.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in commit 234d9aa to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the following Sigma rule to detect suspicious modifications to the COMSPEC environment variable.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for execution of unusual binaries from non-standard locations when Claude HUD is run.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T20:18:14Z","date_published":"2026-05-18T20:18:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-claude-hud-command-injection/","summary":"Claude HUD through version 0.0.12 is vulnerable to command injection (CVE-2026-47092) allowing a local attacker to execute arbitrary commands on a Windows system by manipulating the COMSPEC environment variable; this vulnerability has been patched in commit 234d9aa.","title":"Claude HUD Command Injection Vulnerability via COMSPEC Manipulation (CVE-2026-47092)","url":"https://feed.craftedsignal.io/briefs/2026-05-claude-hud-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Claude HUD (\u003c= 0.0.12)","version":"https://jsonfeed.org/version/1.1"}