Unpatched Injection Flaw in Claude Desktop Linux Notification Handler Enables Markup and Flag Injection

A critical sanitization gap in the Linux desktop notification pipeline of Claude Desktop code has been identified during a post-#583 security review, leaving the `notify-send` execution path vulnerable to two distinct injection vectors. The flaw, rated HIGH severity by the reviewing analyst, resides in the `send_linux_notification` function within `.claude/hooks/notify.sh` at line 187, where `notify-send "$title" "$message"` is invoked without any input sanitization or argument boundary enforcement.

The first vulnerability class concerns Pango and HTML-style markup parsing. When notification servers such as GNOME Shell, KDE Plasma, or dunst have markup enabled, unescaped characters (`<`, `>`, `&`) within a caller-controlled message can be rendered as hyperlinks, embedded images, or visually spoofed text. This creates a risk of social engineering via crafted notification content that could mimick system alerts or trusted sources. The second vector exploits the absence of a `--` separator between arguments: a notification title beginning with a hyphen could be interpreted as a `notify-send` flag, potentially enabling an attacker to specify arbitrary parameters such as `--icon=/path` to load attacker-controlled icon resources. Both issues mirror the class of injection defects previously addressed in #583 for Slack and PowerShell notification paths.

The fix requires escaping Pango/HTML-special characters in both `$title` and `$message` before `notify-send` invocation (`&` → `&amp;`, `<` → `&lt;`, `>` → `&gt;`), and inserting a `--` argument separator to terminate option parsing and treat all subsequent arguments as positional parameters. Until the patch is merged, any integration or plugin passing untrusted content into the notification handler could propagate the injection risk downstream to end-user desktop environments.