CVE-2026-48725

Warp exposes a vulnerability where terminal output can request access to the local clipboard via OSC 52. From build 0.2021.04.25.23.05.stable_00 up to 0.2026.05.06.15.42.stable_01, a malicious remote host or attacker-controlled terminal output source could trigger reads or writes to the user’s cl...

CVE-2026-54057

A flaw was found in Kitty, a cross-platform GPU-based terminal. An input sanitization vulnerability in Kitty's OSC 21 color-control query reply allows an attacker to inject controlled bytes, including newlines, directly into the shell's input. This could enable an attacker to execute arbitrary co...

Linux Distros Unpatched Vulnerability : CVE-2026-54057

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, includin...

CVE-2026-54057

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

DEBIAN-CVE-2026-54057

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

CVE-2026-54057 Kitty vulnerable to command injection via unsanitized OSC 21 query reply

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

CVE-2026-54057

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

CVE-2026-47090

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

CVE-2026-47090

Claude HUD up to version 0.0.12 is affected by a terminal-injection vulnerability in OSC 8 hyperlink handling. The root cause is constructing OSC 8 sequences from raw cwd and branchUrl values without stripping control characters or encoding embedded values, enabling injection of ANSI codes into t...

CVE-2026-47090 Claude HUD 0.0.12 Terminal Injection via OSC 8 Hyperlinks

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

PT-2026-41730

Name of the Vulnerable Software and Affected Versions Claude HUD versions 0.0.0 through 0.0.12 Description The software constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values. This allows attackers t...

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

EUVD-2026-16234

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

GHSA-3439-VQGJ-2GCF Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

CVE-2026-3108

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

CVE-2026-3108

Mattermost: CVE-2026-3108 affects versions 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1. The vulnerability arises from failure to sanitize user-controlled post content in mmctl commands terminal output, allowing crafted messages with ANSI/OSC escape se...

Malicious code in osc-datagrid-validator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8b6beb7674c12933f815ec6da07e3bcb65403fef71ed76e7c1c8805df763672 The package osc-datagrid-validator was found to contain malicious code...

MAL-2026-2382 Malicious code in osc-datagrid-validator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8b6beb7674c12933f815ec6da07e3bcb65403fef71ed76e7c1c8805df763672 The package osc-datagrid-validator was found to contain malicious code...

openSUSE 16 Security Update : osc, obs-scm-bridge (openSUSE-SU-2026:20361-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20361-1 advisory. Changes in osc: - 1.24.0 - Command-line: - Add '--target-owner' option to 'git-obs repo fork' command - Add '--self' parameter to fix 'no matching paren...

Security update for osc, obs-scm-bridge (moderate)

openSUSE security update: security update for osc, obs-scm-bridge ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20361-1 Rating: moderate References: bsc1230469 bsc1247410 Cross-References: CVE-2024-22038 CVSS scores: CVE-2024-22038 SUSE : 7.3...