Originally published at: Claude Code CVE-2026-39861: symlink-assisted sandbox escape fixed - ToolsLib Blog
A GitHub advisory for CVE-2026-39861 details a symlink-based sandbox escape in Claude Code, now fixed. A separate CVE in jotty.page (CVE-2026-42564) addresses an unauthenticated path traversal fixed in 1.22.0.