Volerion logoVolerion
Volerion logoVolerion

Claude HUD Command Injection Vulnerability via COMSPEC Environment Variable Allowing Arbitrary Command Execution on Windows

Vulnerability

A command injection vulnerability has been identified in Claude HUD versions through 0.0.12. This vulnerability allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. When COMSPEC is set to a custom binary path, the application inadvertently executes the specified executable with cmd.exe arguments during a version check. This flaw, present in the Windows version of the application, has been patched in version 0.0.12.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on Windows systems.

Reproduction

To reproduce this vulnerability, set the COMSPEC environment variable to an arbitrary executable path before launching Claude HUD. The application will execute the specified program with command-line arguments, allowing for the execution of malicious commands.

Remediation

Users can update to Claude HUD version 0.0.12 or later, where this vulnerability has been patched.

Added: May 18, 2026, 8:20 PM
Updated: May 18, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
7.5
exploitability
4.2
remediation
0.0
relevance
8.7
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.