CVE-2026-31862

Published: Mar 11, 2026Modified: Mar 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.

Affected (1)

Products: Cloudcli: Cloud Cli

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cloudcli Cloud Cli	Before 1.24.0

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0

Source: security-advisories@github.com

Release Notes

https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.