This security advisory, issued by the Korea Internet Security Agency (KISA) KrCERT/CC, announces critical security updates released by Anthropic to address vulnerabilities within its Claude Code product.

The advisory details two specific vulnerabilities:

1. Code Injection Vulnerability (CVE-2025-59536): This flaw affects Claude Code versions prior to v1.0.111. Successful exploitation could allow attackers to inject and execute arbitrary code. The resolution is to update to version v1.0.111 or later.
2. Sensitive Information Disclosure Vulnerability (CVE-2026-21852): This vulnerability impacts Claude Code versions prior to v2.0.65. It could lead to the unauthorized exposure of sensitive user or system information. The resolution requires updating to version v2.0.65 or later.

The core methodology for mitigation involves immediate software updates. Users operating affected versions of Claude Code are strongly recommended to upgrade to the specified patched versions to remediate these security risks.

The detailed product and version information is as follows:
| Vulnerability | Product Name | Affected Versions | Resolution Version |
| :------------ | :----------- | :----------------- | :----------------- |
| CVE-2025-59536| Claude Code | Less than v1.0.111| v1.0.111 |
| CVE-2026-21852| Claude Code | Less than v2.0.65 | v2.0.65 |

Reference links for further information and details on the vulnerabilities and updates are provided:

• [1] https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g
• [2] https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7
• [3] https://nvd.nist.gov/vuln/detail/CVE-2025-59536
• [4] https://nvd.nist.gov/vuln/detail/CVE-2026-21852

The advisory was prepared by the AI Vulnerability Response Team within KISA's Threat Response Group.