claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh — CVE-2026-45136
GitHub · GitHub · CVE-2026-45136
ID
CVE-2026-45136
CVE-2026-45136
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
Summary
## Summary `tools/quota-statusline.sh` (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A `'''` byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. ## Affected versions - v3.5.0 - v3.5.1 ## Patched versions - v3.5.2 ## Affected…
Product
npm: claude-code-cache-fix
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.