CVE-2025-15060

Published Mar 16, 2026

Last updated a month ago

CVSS critical 9.8

Overview

Description
claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27785.
Source
zdi-disclosures@trendmicro.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

zdi-disclosures@trendmicro.com
CWE-78

Social media

Hype score
Not currently trending

  1. [CVE-2025-15060: CRITICAL] Critical vulnerability in claude-hovercraft's executeClaudeCode method allows remote attackers to execute arbitrary code without authentication, posing serious security risks. Patc...#cve,CVE-2025-15060,#cybersecurity https://t.co/WjobIraavg

    @CveFindCom

    16 Mar 2026

    106 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-15060 claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on aff… https://t.co/ya9WOLltAq

    @CVEnew

    13 Mar 2026

    164 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2025-15060: claude-hovercraft executeClaudeC... Unauthenticated RCE via command injection in executeClaudeCode method - CVSS 9.8 speaks volumes about trivial exploitat... https://t.co/K5N97vX7j5 #netsec #vulnerability #CVE #sysadmin #zeroday

    @0dayPublishing

    13 Mar 2026

    141 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [ZDI-26-124|CVE-2025-15060] claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability (CVSS 9.8; Credit: Peter Girnus (@gothburz) of Trend Research) https://t.co/0Ium1xKDRC

    @TheZDIBugs

    25 Feb 2026

    3022 Impressions

    4 Retweets

    10 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.