@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.