{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15060", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2025-12-23T20:39:36.859Z", "datePublished": "2026-03-13T20:43:36.780Z", "dateUpdated": "2026-03-16T15:41:05.701Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:43:36.780Z"}, "title": "claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785."}], "affected": [{"vendor": "claude-hovercraft", "product": "claude-hovercraft", "versions": [{"version": "96e46a44f090b5b4359aec51bcd97354ffe8b17d", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-124/", "name": "ZDI-26-124", "tags": ["x_research-advisory"]}], "dateAssigned": "2025-12-23T20:39:36.889Z", "datePublic": "2026-02-25T18:04:41.147Z", "source": {"lang": "en", "value": "Peter Girnus (@gothburz) of Trend Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:27:37.889168Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:41:05.701Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:27:37.889168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:31:41.421Z"}}], "cna": {"title": "claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Peter Girnus (@gothburz) of Trend Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "claude-hovercraft", "product": "claude-hovercraft", "versions": [{"status": "affected", "version": "96e46a44f090b5b4359aec51bcd97354ffe8b17d"}], "defaultStatus": "unknown"}], "datePublic": "2026-02-25T18:04:41.147Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-124/", "name": "ZDI-26-124", "tags": ["x_research-advisory"]}], "dateAssigned": "2025-12-23T20:39:36.889Z", "descriptions": [{"lang": "en", "value": "claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:43:36.780Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15060", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:41:05.701Z", "dateReserved": "2025-12-23T20:39:36.859Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-03-13T20:43:36.780Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785."}], "id": "CVE-2025-15060", "lastModified": "2026-03-16T14:53:46.157", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-03-16T14:17:55.780", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-124/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "96e46a44f090b5b4359aec51bcd97354ffe8b17d"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "claude-hovercraft", "source": "cna", "vendor": "claude-hovercraft"}, "product": "claude-hovercraft", "vendor": "claude-hovercraft"}], "analysis": {"en": {"generated_at": "2026-03-19T14:35:19.847061+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011supplied patch or upgrade to the latest version of claude\u2011hovercraft as soon as it becomes available.", "If a patch is not yet available, restrict network access to the service or block unauthenticated traffic reaching the executeClaudeCode endpoint.", "Monitor system logs for suspicious command execution or anomalous activity related to the executeClaudeCode functionality.", "Check the vendor\u2019s website or the referenced advisory (https://www.zerodayinitiative.com/advisories/ZDI-26-124/) for updates or additional guidance."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected vendors: claude\u2011hovercraft (product claude\u2011hovercraft). No exact version information is provided, so all releases containing the executeClaudeCode method may be vulnerable until a patch is issued.", "description_and_impact": "This vulnerability resides in the executeClaudeCode method of claude\u2011hovercraft. The method fails to validate a user\u2011supplied string before passing it to a system call, allowing an attacker to inject arbitrary commands. Because authentication is not required, any network user can trigger the flaw. The impact is remote code execution on the server running the claude\u2011hovercraft service, with the privileges of the service account, mapping to CWE\u201178. An attacker could install malware, exfiltrate data, or pivot to other systems.", "risk_and_exploitability": "The CVSS base score of 9.8 denotes critical severity, while the EPSS score of 2% indicates that automated exploitation is not widespread yet. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is remote and network\u2011based; an attacker can send a crafted request to the executeClaudeCode endpoint and force command execution without credentials."}}}}, "created": "2026-03-16T09:23:01.755486+00:00", "updated": "2026-03-23T13:39:34.592308+00:00", "vendors": ["claude-hovercraft", "claude-hovercraft$PRODUCT$claude-hovercraft"]}