Vulnerability Database

321,672

Total vulnerabilities in the database

CVE-2026-24052

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.

Published: Feb 3, 2026
Updated: Feb 7, 2026
CVE: CVE-2026-24052
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
anthropic / claude_code	-	1.0.111

https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo