CVE-2026-24053

CVSS v4.0

7.7

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.0.74

Description Claude Code is an agentic coding tool affected by a Bash command validation flaw when parsing ZSH clobber syntax. This flaw allowed bypassing directory restrictions and writing files outside the current working directory without user permission prompts. Exploitation required the use of ZSH and the ability to add untrusted content into a Claude Code context window.

Recommendations Update to version 2.0.74 or later.

Exploit

Fix

Path traversal

OS Command Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-78CWE-79

Related Identifiers

CVE-2026-24053

GHSA-Q728-GF8J-W49R

Affected Products

Claude-Code

CVE-2026-24053

Weakness Enumeration

Related Identifiers

Affected Products

References · 8