CVE-2026-54057
- EPSS 0.17%
- Veröffentlicht 12.06.2026 20:07:00
- Zuletzt bearbeitet 16.06.2026 15:42:18
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.
CVE-2026-54056
- EPSS 0.27%
- Veröffentlicht 12.06.2026 20:06:06
- Zuletzt bearbeitet 16.06.2026 15:59:57
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are st...
- EPSS 0.07%
- Veröffentlicht 12.06.2026 20:03:17
- Zuletzt bearbeitet 16.06.2026 16:02:45
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the files...
CVE-2026-42851
- EPSS 0.16%
- Veröffentlicht 12.06.2026 20:00:23
- Zuletzt bearbeitet 16.06.2026 16:07:46
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TU...
CVE-2026-42850
- EPSS 0.29%
- Veröffentlicht 12.06.2026 19:59:14
- Zuletzt bearbeitet 16.06.2026 16:11:50
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correct...
CVE-2026-33642
- EPSS 0.29%
- Veröffentlicht 19.05.2026 18:04:42
- Zuletzt bearbeitet 19.05.2026 21:08:41
Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrappi...
CVE-2026-33633
- EPSS 0.37%
- Veröffentlicht 19.05.2026 17:36:07
- Zuletzt bearbeitet 19.05.2026 21:08:41
Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by ...
CVE-2025-43929
- EPSS 0.18%
- Veröffentlicht 20.04.2025 00:00:00
- Zuletzt bearbeitet 24.04.2025 15:46:35
open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).
CVE-2020-35605
- EPSS 3.61%
- Veröffentlicht 21.12.2020 20:15:12
- Zuletzt bearbeitet 24.04.2025 17:39:27
The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message.