ZDI-26-124 discloses a critical command injection vulnerability in the claude-hovercraft tool's executeClaudeCode function, scoring CVSS 9.8 with no authentication required.
Check Point Research disclosed three vulnerabilities in Anthropic's Claude Code CLI that allowed remote code execution and API key theft through malicious project configuration files - all triggered before trust prompts appeared.
Anthropic's new Claude Code Security tool found 500+ zero-day vulnerabilities in open-source projects. CrowdStrike dropped 8%, Okta 10%. The cybersecurity industry is not having a good day.
