CVE-2026-45136

Name of the Vulnerable Software and Affected Versions claude-code-cache-fix versions 3.5.0 through 3.5.1

Description The tools/quota-statusline.sh script interpolates the Claude Code hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload can close the literal prematurely, allowing subsequent bytes to be executed as Python code within the user's Claude Code process. This can occur if a user navigates into a directory containing a hostile name (e.g., via git clone or archive extraction) while having the tools/quota-statusline.sh script configured in the statusLine setting. The affected payload fields include cwd, workspace.current dir, workspace.project dir, and transcript path.

Recommendations Update claude-code-cache-fix to version 3.5.2. As a temporary workaround, disable the statusline by removing the statusLine entry from ~/.claude/settings.json. Alternatively, replace tools/quota-statusline.sh with a script that does not pass stdin through python3 -c "...".