Cyber Resilience

CVE-2026-47092

HighPublic PoCUpdated

Published: 18 May 2026

Published
18 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-47092 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Jarrodwatts Claude Hud. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

EU & UK References

Vulnerability details

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its…

more

version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
Why these techniques?

Local COMSPEC manipulation enables direct arbitrary command execution via Windows shell and hijacks execution flow through environment variable abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15558Shared CWE-427
CVE-2026-5271Shared CWE-427
CVE-2026-7279Shared CWE-427
CVE-2024-9494Shared CWE-427
CVE-2024-9497Shared CWE-427
CVE-2026-2713Shared CWE-427
CVE-2026-42171Shared CWE-427
CVE-2022-50808Shared CWE-427
CVE-2024-55540Shared CWE-427
CVE-2026-4134Shared CWE-427

Affected Assets

jarrodwatts
claude hud
≤ 0.0.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References