9 matches found
CVE-2020-35605
The CVE-2020-35605 vulnerability affects the Kitty terminal emulator (graphics protocol handling) where a filename containing special characters in an error message could enable remote code execution. Affected component is Kitty’s graphics protocol implementation; root cause is inadequate sanitis...
CVE-2025-43929
CVE-2025-43929 affects kitty before 0.41.0. The issue arises because open_actions.py does not prompt for user confirmation before executing a local file that could be linked from an untrusted document (e.g., KDE Ghostwriter exports). Affects Kitty component (kitty) with local attack surface; expl...
CVE-2026-33642
CVE-2026-33642 affects Kitty up to version 0.46.2. The issue arises in handle_compose_command() in kitty/graphics.c, where 32-bit unsigned arithmetic for composition offsets can wrap and enable a heap buffer over-read/over-write. An attacker who can emit output to a Kitty terminal (e.g., maliciou...
CVE-2026-54057
Kitty (cross-platform GPU-based terminal) is affected in versions prior to 0.47.3. The issue arises in the OSC 21 (color-control) query reply, which may reflect attacker-controlled bytes—including newlines—into the shell input without sanitization. This can enable local command injection or input...
CVE-2026-54055
Kitty (cross‑platform GPU terminal) contains a local privilege escalation vulnerability in its file transmission protocol prior to 0.47.2. A TOCTOU race between symlink validation and file creation allows a child process in the terminal to cause an attack to write to arbitrary files because os.op...
CVE-2026-42851
CVE-2026-42851 (Kitty terminal) : In versions prior to 0.47.0, a program that writes bytes to a Kitty terminal can trigger execution of attacker-supplied Python inside the Kitty process with the user’s privileges. This is a local issue with high impact to confidentiality, integrity, and availabil...
CVE-2026-54056
Kitty (GPU-based terminal) vulnerability CVE-2026-54056 affects versions 0.47.0–0.47.1 where a remote drag-and-drop via kitten dnd staging can overwrite or truncate arbitrary files writable by the local user. The attack chains a staged remote text/uri-list, exploiting a race in staging where a st...
CVE-2026-33633
CVE-2026-33633 affects the Kitty terminal. Versions 0.46.2 and earlier are vulnerable to a heap buffer overflow in load_image_data(), triggered by a single APC graphics protocol command with a PNG declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacke...
CVE-2026-42850
CVE-2026-42850 affects the Kitty terminal (GPU-based, cross-platform). In versions prior to 0.47.0, an injection is possible through a crafted kitty error that is echoed back to the terminal with CRLF and executed by the user’s shell. The attack requires the victim to connect to the attacker (e.g...