Skip to main content

Kitty terminal CVE-2026-42850

| EUVD-2026-36553 HIGH
Command Injection (CWE-77)
2026-06-12 security-advisories@github.com
Command Injection Kitty Suse
7.4
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network reach via attacker bytes, but high complexity and required user action (victim must run netcat into Kitty); no auth needed; full RCE as user gives C:H/I:H, no availability impact stated.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 21:01 EUVD
Analysis Generated
Jun 12, 2026 - 20:30 vuln.today

DescriptionCVE.org

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.

AnalysisAI

Command injection in Kitty cross-platform GPU terminal emulator versions prior to 0.47.0 allows remote attackers to execute arbitrary shell commands on a victim's host by sending a crafted escape sequence over an attacker-controlled network connection. The terminal echoes its own error message - including attacker-controlled bytes - back to the shell with CRLF, causing the shell to execute the injected command. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim opens netcat listener in Kitty
Delivery
Attacker connects and sends crafted escape code
Exploit
Kitty emits unescaped error with CRLF
Execution
Shell reads injected line from TTY
Impact
Shell executes attacker command as victim user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Victim must be running Kitty < 0.47.0 AND must have an interactive shell prompt active in that terminal AND must be relaying attacker-controlled bytes into the terminal's stdout via a tool such as netcat, socat, or any similar listener/connector that prints raw network input to the TTY without sanitization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N) correctly captures the unusual risk profile: network reach, but high complexity, a required attack precondition, and active user involvement (the victim must have already piped untrusted network data - e.g., via netcat - into their Kitty session). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A victim on a CTF or pentest workstation runs `nc -lvnp 4444` (or connects outbound to an attacker) inside Kitty and receives attacker-controlled bytes. The attacker sends a crafted escape sequence Kitty cannot parse; Kitty emits an error response containing the attacker's payload plus CRLF back to the TTY, and the user's shell - reading from that same TTY - executes the injected command as the victim user. …
Remediation Vendor-released patch: upgrade to Kitty 0.47.0 or later, per the GitHub Security Advisory GHSA-p64q-59hq-5q65 (https://github.com/kovidgoyal/kitty/security/advisories/GHSA-p64q-59hq-5q65). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct organization-wide inventory of Kitty installations and identify users with external or untrusted system connections. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-42851 HIGH
7.8 Jun 12

Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can wri
CVE-2026-54057 HIGH
7.3 Jun 12

Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline

CVE-2026-54056 HIGH
7.1 Jun 12

Arbitrary file write in Kitty terminal versions 0.47.0 and 0.47.1 allows a remote drag-and-drop source to overwrite file
CVE-2026-54055 MEDIUM
5.0 Jun 12

Arbitrary file write in kitty terminal versions prior to 0.47.2 allows a child process running inside a kitty session to

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2026-42850 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy