{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31862", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.013Z", "datePublished": "2026-03-11T17:17:47.941Z", "dateUpdated": "2026-03-12T14:22:04.149Z"}, "containers": {"cna": {"title": "Cloud CLI has Command Injection via Multiple Parameters", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q"}, {"name": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0"}], "affected": [{"vendor": "siteboon", "product": "claudecodeui", "versions": [{"version": "< 1.24.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:17:47.941Z"}, "descriptions": [{"lang": "en", "value": "Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0."}], "source": {"advisory": "GHSA-f2fc-vc88-6w7q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:21:55.099672Z", "id": "CVE-2026-31862", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:22:04.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:21:55.099672Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:21:59.501Z"}}], "cna": {"title": "Cloud CLI has Command Injection via Multiple Parameters", "source": {"advisory": "GHSA-f2fc-vc88-6w7q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "siteboon", "product": "claudecodeui", "versions": [{"status": "affected", "version": "< 1.24.0"}]}], "references": [{"url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q", "name": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0", "name": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:17:47.941Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31862", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:22:04.149Z", "dateReserved": "2026-03-09T19:02:25.013Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:17:47.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudcli:cloud_cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D084438-4C97-467F-8517-14FE6949B298", "versionEndExcluding": "1.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0."}, {"lang": "es", "value": "Cloud CLI (tambi\u00e9n conocida como Claude Code UI) es una interfaz de usuario (UI) de escritorio y m\u00f3vil para Claude Code, Cursor CLI, Codex y Gemini-CLI. Antes de la versi\u00f3n 1.24.0, m\u00faltiples puntos finales de API relacionados con Git utilizan execAsync() con interpolaci\u00f3n de cadenas de par\u00e1metros controlados por el usuario (file, branch, message, commit), lo que permite a atacantes autenticados ejecutar comandos arbitrarios del sistema operativo. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.24.0."}], "id": "CVE-2026-31862", "lastModified": "2026-03-17T19:04:29.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T18:16:25.073", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.24.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "claudecodeui", "source": "cna", "vendor": "siteboon"}, "product": "claudecodeui", "vendor": "siteboon"}], "analysis": {"en": {"generated_at": "2026-03-17T20:44:37.422023+00:00", "value": {"mitigation_remediation": ["Upgrade to Cloud CLI version\u00a01.24.0\u00a0or later, which removes the affected execAsync calls."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Siteboon Cloud CLI (Claude Code UI) before version 1.24.0. The vulnerability is present in all releases prior to the 1.24.0 release, as documented by the vendor.", "description_and_impact": "Cloud CLI (Claude Code UI) allows authenticated attackers to execute arbitrary OS commands through command injection. The vulnerability arises because multiple Git\u2011related API endpoints use execAsync() with string interpolation of user\u2011controlled parameters (file, branch, message, commit). This is a classic CWE\u201178 vulnerability leading to Remote Code Execution.", "risk_and_exploitability": "The CVSS score is 9.1, indicating a critical severity. The EPSS score is below 1\u202f%, suggesting low exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication and access to the Git API endpoints, and the attack vector is via application\u2011level functionality rather than network\u2011level exploits."}}}}, "created": "2026-03-12T09:57:39.796178+00:00", "updated": "2026-03-20T15:30:18.611489+00:00", "vendors": ["siteboon", "siteboon$PRODUCT$claudecodeui"]}