Home / Vulnerability Intelligence / CVE-2026-31862

CVE-2026-31862 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 11, 2026

Cloud CLI - Command Injection

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Cloud CLI < 1.24.0 contains a command injection caused by execAsync() using string interpolation of user-controlled Git parameters, letting authenticated attackers execute arbitrary OS commands remotely.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 4.4%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary OS commands, potentially leading to full system compromise.

Mitigation

Update to version 1.24.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🔴 CVE-2026-31862 - Critical (9.1) Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31862/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-31862
Severity: Critical
CVSS Score: 9.1
Type: command_injection
Status: new
EPSS: 4.4%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

4.4%Probability of exploitation in the next 30 days