claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh

Description

tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code’s hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user’s Claude Code process.

Recommendation

Update the claude-code-cache-fix package to the latest compatible version. Followings are version details:

• Affected version(s): >= 3.5.0, < 3.5.2
• Patched version(s): 3.5.2

References

• GHSA-g3xq-3gmv-qq8g
• CVE-2026-45136
• CWE-78
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection - CVE-2026-31975
• paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
• paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
• @siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes - CVE-2026-31861

You might also like:

Host Header Injection and Python Tests with SmartScanner 1.11

Update Cheat Sheet for Developers

How do hackers hack websites?

Tags:

npm

claude-code-cache-fix