CVE-2026-31862: @siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters

March 11, 2026

Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.

References

github.com/advisories/GHSA-f2fc-vc88-6w7q
github.com/siteboon/claudecodeui
github.com/siteboon/claudecodeui/releases/tag/v1.24.0
github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q
nvd.nist.gov/vuln/detail/CVE-2026-31862

Code Behaviors & Features

Detect and mitigate CVE-2026-31862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →