Running an AI coding agent on a developer workstation means handing a process that reads untrusted input ambient access to your home directory. This article documents a practical way to reduce that exposure on Linux, tested on Kubuntu 24.04 with bubblewrap 0.9.0 and Claude Code 2.1.78.

The approach has two independent layers:

• an outer bubblewrap wrapper (claude-safe) that restricts what the Claude process can see from the moment it starts: no ambient visibility into the home directory, a stripped environment, minimal DNS plumbing;
• an inner Claude Code native sandbox that applies a second boundary specifically to Bash commands and their child processes, with network prompts for hosts outside your configured allowlist.

Used together, they form a workstation-grade defense-in-depth pattern. Used separately, each still solves a narrower but useful problem.

CVE-2025-69633

Summary

A critical SQL Injection vulnerability has been identified in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop.

The vulnerability allows a remote unauthenticated attacker to execute arbitrary SQL queries via the fromController parameter of the module’s popup controller endpoint.

The issue affects versions:

< 1.2.7

The vendor confirmed that the vulnerability is present at least since version 1.1.26. The exact introduction version has not been determined.

The vulnerability is fixed in: