562 matches found
CVE-2026-54055
A flaw was found in Kitty, a cross-platform GPU-based terminal. A local attacker, specifically a child process running within the terminal, can exploit a Time-of-Check-Time-of-Use TOCTOU race condition in the file transmission protocol. This allows the attacker to create a symbolic link between a...
CVE-2026-54057
A flaw was found in Kitty, a cross-platform GPU-based terminal. An input sanitization vulnerability in Kitty's OSC 21 color-control query reply allows an attacker to inject controlled bytes, including newlines, directly into the shell's input. This could enable an attacker to execute arbitrary co...
CVE-2026-54056
A flaw was found in Kitty, a cross-platform GPU based terminal. A remote attacker can exploit a vulnerability in the kitten dnd feature by sending a specially crafted drag-and-drop request. This allows the attacker to overwrite or truncate arbitrary files on the local system that are writable by...
CVE-2026-42850
A flaw was found in Kitty, a cross-platform GPU based terminal. A remote attacker could exploit this vulnerability by sending a specially crafted escape code to a victim who is connected to the attacker via a program like netcat. This escape code triggers an unescaped error that is then executed ...
CVE-2026-42851
A flaw was found in Kitty, a cross-platform GPU-based terminal. A local attacker, or a remote attacker who can control output displayed in the terminal, could exploit this vulnerability. By sending specially crafted input to the terminal, the attacker can cause Kitty to execute arbitrary Python...
CVE-2026-54057
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...
CVE-2026-54056
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitiv...
CVE-2026-54055
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU...
CVE-2026-42851
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...
CVE-2026-42850
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as su...
EUVD-2026-36579
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...
CVE-2026-54057
Kitty (cross-platform GPU-based terminal) is affected in versions prior to 0.47.3. The issue arises in the OSC 21 (color-control) query reply, which may reflect attacker-controlled bytes—including newlines—into the shell input without sanitization. This can enable local command injection or input...
CVE-2026-54057 Kitty vulnerable to command injection via unsanitized OSC 21 query reply
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...
EUVD-2026-36578
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitiv...
CVE-2026-54055 Kitty has an Arbitrary File Write via Symlink Race Condition in File Transmission Protocol
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU...
EUVD-2026-36556
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU...
CVE-2026-54055
Kitty (cross‑platform GPU terminal) contains a local privilege escalation vulnerability in its file transmission protocol prior to 0.47.2. A TOCTOU race between symlink validation and file creation allows a child process in the terminal to cause an attack to write to arbitrary files because os.op...
CVE-2026-42851
CVE-2026-42851 (Kitty terminal) : In versions prior to 0.47.0, a program that writes bytes to a Kitty terminal can trigger execution of attacker-supplied Python inside the Kitty process with the user’s privileges. This is a local issue with high impact to confidentiality, integrity, and availabil...
EUVD-2026-36555
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...
CVE-2026-42851 @kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...