{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31862", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.013Z", "datePublished": "2026-03-11T17:17:47.941Z", "dateUpdated": "2026-03-12T14:22:04.149Z"}, "containers": {"cna": {"title": "Cloud CLI has Command Injection via Multiple Parameters", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q"}, {"name": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0"}], "affected": [{"vendor": "siteboon", "product": "claudecodeui", "versions": [{"version": "< 1.24.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:17:47.941Z"}, "descriptions": [{"lang": "en", "value": "Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0."}], "source": {"advisory": "GHSA-f2fc-vc88-6w7q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:21:55.099672Z", "id": "CVE-2026-31862", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:22:04.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:21:55.099672Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:21:59.501Z"}}], "cna": {"title": "Cloud CLI has Command Injection via Multiple Parameters", "source": {"advisory": "GHSA-f2fc-vc88-6w7q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "siteboon", "product": "claudecodeui", "versions": [{"status": "affected", "version": "< 1.24.0"}]}], "references": [{"url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q", "name": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0", "name": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:17:47.941Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31862", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:22:04.149Z", "dateReserved": "2026-03-09T19:02:25.013Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:17:47.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudcli:cloud_cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D084438-4C97-467F-8517-14FE6949B298", "versionEndExcluding": "1.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0."}, {"lang": "es", "value": "Cloud CLI (tambi\u00e9n conocida como Claude Code UI) es una interfaz de usuario (UI) de escritorio y m\u00f3vil para Claude Code, Cursor CLI, Codex y Gemini-CLI. Antes de la versi\u00f3n 1.24.0, m\u00faltiples puntos finales de API relacionados con Git utilizan execAsync() con interpolaci\u00f3n de cadenas de par\u00e1metros controlados por el usuario (file, branch, message, commit), lo que permite a atacantes autenticados ejecutar comandos arbitrarios del sistema operativo. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.24.0."}], "id": "CVE-2026-31862", "lastModified": "2026-03-17T19:04:29.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-03-11T18:16:25.073", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.24.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "claudecodeui", "source": "cna", "vendor": "siteboon"}, "product": "claudecodeui", "vendor": "siteboon"}], "created": "2026-03-12T09:57:39.796178+00:00", "updated": "2026-03-12T09:57:39.796261+00:00", "vendors": ["siteboon", "siteboon$PRODUCT$claudecodeui"]}