CVE-2026-47090

Name of the Vulnerable Software and Affected Versions Claude HUD versions 0.0.0 through 0.0.12

Description The software constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values. This allows attackers to inject arbitrary ANSI codes into terminal sessions by embedding ESC+backslash sequences in the current working directory or branch URL. Potential impacts include text color changes, forged prompts, OSC 52 clipboard writes, or triggering outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked.

Recommendations Update to the version containing commit 234d9aa. As a temporary workaround, avoid using directories or branch URLs containing control characters in the cwd and branchUrl variables.