Description
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.
Published: 2026-06-12
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in prior versions of kitty allows attackers to inject shell commands through a specially crafted escape code that triggers an unescaped error. Because the terminal echoes the error string with carriage‑return and line‑feed characters, the victim’s active shell interprets it as a command. An attacker who can connect using a netcat‑style listener can therefore execute arbitrary commands on the victim’s machine, resulting in full compromise of confidentiality, integrity, and availability. This flaw is a classic command injection, mapped to CWE‑77.

Affected Systems

The issue affects the kitty terminal emulator developed by Kovid Goyal. Any installation running a version earlier than 0.47.0 on any operating system supported by kitty – Windows, macOS or Linux – is vulnerable. Versions post‑0.47.0 incorporate the fix and are not impacted.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, while the EPSS score of less than 1 % shows a low projected exploitation probability at this time. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires the attacker to establish a network connection that allows kitty to deliver the malicious escape sequence; typical vectors involve a netcat listener or any service that can inject data into the local terminal. If successful, the attacker can run arbitrary commands on the victim’s account. Because the flaw is remote but depends on a network connection to the terminal, defensive actions should focus on restricting such inbound connections and applying the patch promptly.

Generated by OpenCVE AI on June 12, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade kitty to version 0.47.0 or newer to apply the vendor fix.
  • If an upgrade cannot be performed immediately, block inbound connections that can reach the kitty terminal by configuring firewall rules or disabling remote terminal access.
  • Set up a wrapper or configuration change that filters or removes unescaped error messages and escape sequences before they are echoed to the shell.
  • Maintain regular monitoring of terminal activity and keep the host OS and kitty updated to mitigate exploitation attempts.

Generated by OpenCVE AI on June 12, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal kitty
Vendors & Products Kovidgoyal
Kovidgoyal kitty

Fri, 12 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.
Title Kitty has a shell command injection
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kovidgoyal Kitty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T19:59:14.267Z

Reserved: 2026-04-30T16:44:48.378Z

Link: CVE-2026-42850

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:45.283

Modified: 2026-06-12T20:16:45.283

Link: CVE-2026-42850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:30:07Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')