DailyCVE reported on 13 May 2026 a critical code injection vulnerability in Anthropic's Claude Code, tracked as GHSA-g3xq-3gmv-qq8g and affecting versions v3.5.0 and v3.5.1. The flaw resides in the tools/quota-statusline.sh statusline hook, which embeds user-controlled JSON fields (cwd, workspace.current_dir, workspace.project_dir, transcript_path) directly into a Python triple-quoted string passed to json.loads, allowing a hostile directory or file name to break out of the literal and execute arbitrary Python and shell commands. Exploitation requires only that a victim with the recommended statusline configuration enter a malicious directory delivered via git clone, archive extraction, an npm package, or a downloaded zip; the hook then fires on every UI redraw, yielding persistent code execution at user privilege with access to shell, SSH keys, local files, and credentials. The advisory states a fix is available in Claude Code v3.5.2, which replaces the unsafe interpolation with a bash heredoc and passes input via an environment variable. Users are advised to upgrade or remove the statusLine entry from ~/.claude/settings.json.
// Alert
Claude threat report
// ClaudeCRITICAL
// Get alerts for Claude