What is GHSA-4524-x6pc-rr9x?

GHSA-4524-x6pc-rr9x is a security advisory published by GitHub Security Advisories with Medium severity. Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability...

Which CVE IDs does GHSA-4524-x6pc-rr9x cover?

GHSA-4524-x6pc-rr9x covers the following CVE IDs: CVE-2026-47091. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-4524-x6pc-rr9x?

GHSA-4524-x6pc-rr9x has a CVSS v3 base score of 3.3, published by GitHub Security Advisories.

GHSA-4524-x6pc-rr9xMediumCVSS 3.3

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability...

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-47091 →

📋 Description

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a persistent cache file with insufficient permissions, creating a forensic record of accessed paths that survives process exit.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-47091
https://github.com/jarrodwatts/claude-hud/issues/485
https://github.com/jarrodwatts/claude-hud/pull/487
https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30
https://www.vulncheck.com/advisories/claude-hud-path-traversal-via-transcript-path
https://github.com/advisories/GHSA-4524-x6pc-rr9x