CVE-2026-45136: claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh
(updated )
tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code’s hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user’s Claude Code process.
References
- github.com/advisories/GHSA-g3xq-3gmv-qq8g
- github.com/cnighswonger/claude-code-cache-fix/commit/613e4df30547f3e6baf32d161eddc828f171da17
- github.com/cnighswonger/claude-code-cache-fix/issues/108
- github.com/cnighswonger/claude-code-cache-fix/pull/110
- github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g
- nvd.nist.gov/vuln/detail/CVE-2026-45136
Code Behaviors & Features
Detect and mitigate CVE-2026-45136 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →