claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh

8.6 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.

AI Analysis

Local code execution via Python triple-quote injection in tools/quota-statusline.sh

Basic Information

ID CVE-2026-45136

Source GitHub_M

Published May 27, 2026 at 20:48

Affected Product

Vendor cnighswonger

Product claude-code-cache-fix

Version >= 3.5.0, < 3.5.2

Affected Versions cnighswonger claude-code-cache-fix >= 3.5.0, < 3.5.2

CWE Classification

CWE-78 CWE-94

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor cnighswonger

Product claude-code-cache-fix

Version 3.5.0-3.5.1

References

{
    "lastseen": "",
    "description": "claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.",
    "published": "2026-05-27T20:48:22.312Z",
    "modified": "2026-05-27T20:48:22.312Z",
    "type": "cve",
    "title": "claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh",
    "source": "GitHub_M",
    "references": "https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g\nhttps://github.com/cnighswonger/claude-code-cache-fix/issues/108\nhttps://github.com/cnighswonger/claude-code-cache-fix/pull/110",
    "id": "CVE-2026-45136",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "cnighswonger claude-code-cache-fix >= 3.5.0, < 3.5.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "claude-code-cache-fix",
    "version": ">= 3.5.0, < 3.5.2",
    "vendor": "cnighswonger",
    "ai_description": "Local code execution via Python triple-quote injection in tools/quota-statusline.sh",
    "ai_severity": "High",
    "ai_vendor": "cnighswonger",
    "ai_product": "claude-code-cache-fix",
    "ai_version": "3.5.0-3.5.1",
    "ai_score": 8.6
}

claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh_CVE-2026-45136