Act
active
Claude Code CVE-2026-39861: sandbox escape via symlink
- Engineer — Act: Public PoC exists for a symlink-based sandbox escape in Claude Code, which engineers and CI/CD pipelines commonly run; update Claude Code to the patched release immediately and audit any pipelines that invoke it with elevated filesystem access.
- SOC/IR — Learn: Low EPSS (0.01) and no active exploitation campaign; no IOCs or ATT&CK-mappable TTPs are provided, but the symlink sandbox-escape technique is worth noting if Claude Code runs in monitored developer environments.
- Leader — Skip
- Signals: CVE-2026-39861 — CISA KEV: not listed, EPSS 0.01, public PoC on GitHub
This entry was curated and judged by AI (Claude) with automated enrichment
(CISA KEV / EPSS / public PoC). Verify against the original source before
acting. Found a bad verdict?
Report it —
confirmed errors go to the corrections log.