Lucene search
K

iTerm2 < 3.6.10 / < 3.7.0beta1 Arbitrary Code Execution (CVE-2026-41253)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 21 Views

iTerm2 prior to 3.6.10 or 3.7.0beta1 is vulnerable to arbitrary code execution via crafted .txt display.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-41253
18 Apr 202605:27
attackerkb
Circl
CVE-2026-41253
18 Apr 202608:28
circl
CNNVD
iTerm2 安全漏洞
18 Apr 202600:00
cnnvd
CVE
CVE-2026-41253
18 Apr 202605:27
cve
Cvelist
CVE-2026-41253
18 Apr 202605:27
cvelist
EUVD
EUVD-2026-23656
18 Apr 202605:27
euvd
NVD
CVE-2026-41253
18 Apr 202606:16
nvd
Positive Technologies
PT-2026-33591
18 Apr 202600:00
ptsecurity
RedhatCVE
CVE-2026-41253
20 Apr 202619:23
redhatcve
Vulnrichment
CVE-2026-41253
18 Apr 202605:27
vulnrichment
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(307903);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/19");

  script_cve_id("CVE-2026-41253");

  script_name(english:"iTerm2 < 3.6.10 / < 3.7.0beta1 Arbitrary Code Execution (CVE-2026-41253)");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote macOS host is affected by an arbitrary code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of iTerm2 installed on the remote host is prior to 3.6.10, or prior to 3.7.0beta1. It is, therefore,
affected by an arbitrary code execution vulnerability:

  - Displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains
    a malicious file whose name is valid output from the conductor encoding path. This occurs because iTerm2 accepts
    the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.
    (CVE-2026-41253)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not");
  script_set_attribute(attribute:"see_also", value:"https://iterm2.com/downloads.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to iTerm2 version 3.6.10 / 3.7.0beta1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-41253");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:iterm2:iterm2");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("iterm2_macos_installed.nbin");
  script_require_keys("installed_sw/iTerm2", "Host/MacOSX/Version");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'iTerm2', 'type': 'app'},
      'requires': [{'scope': 'target', 'match': {'os': 'macos'}}],
      'check_algorithm': 'default',
      'constraints': [
        {
          'requires': [{'scope': 'install', 'match': {'isBeta': 'is_beta'}}],
          'fixed_version': '3.7.0.1', 'fixed_display': '3.7.0beta1'
        },
        {
          'requires': [{'scope': 'install', 'match': {'isBeta': 'not_beta'}}],
          'fixed_version': '3.6.10'
        }
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result:result);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 May 2026 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.16.9 - 7.8
EPSS0.00199
SSVC
21