Description
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.
Published: 2026-06-12
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kitty, a GPU‑based terminal emulator, accepts OSC 21 (color‑control) query replies that may contain arbitrary bytes from an attacker. The reply is forwarded directly to the shell without sanitization, allowing an attacker to insert shell metacharacters such as newlines. This leads to command injection. The weakness corresponds to CWE‑150 and CWE‑94. A successful exploitation would let the attacker execute arbitrary shell commands in the context of the user running kitty. The CVSS score of 7.3 reflects a moderate‑high severity.

Affected Systems

The affected product is kovidgoyal:kitty, version 0.47.2 or earlier on all platforms where kitty is distributed. Version 0.47.3 or later applies the patch that validates OSC 21 replies before feeding them to the shell.

Risk and Exploitability

The vulnerability is not listed in CISA KEV and no EPSS score is available, so the public exploitation probability is unknown, but the CVSS severity indicates a substantial risk. An attacker would need to deliver a crafted OSC 21 reply to the terminal, which may be possible from a local user or a compromised script. Once the malicious reply is processed, the shell will execute injected commands. Prompt application of the 0.47.3 update mitigates the issue entirely.

Generated by OpenCVE AI on June 12, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update kitty to version 0.47.3 or later, which sanitizes OSC 21 replies.
  • If upgrading is not immediately possible, remove or disable any programs or scripts that generate OSC 21 color‑control replies to the terminal.
  • Restrict access to the terminal so that only trusted users can interact with kitty, and monitor shell input for unexpected command execution.

Generated by OpenCVE AI on June 12, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal kitty
Vendors & Products Kovidgoyal
Kovidgoyal kitty

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.
Title Kitty vulnerable to command injection via unsanitized OSC 21 query reply
Weaknesses CWE-150
CWE-94
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Kovidgoyal Kitty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:07:00.209Z

Reserved: 2026-06-11T18:24:35.096Z

Link: CVE-2026-54057

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:24.610

Modified: 2026-06-12T21:16:24.610

Link: CVE-2026-54057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:15:10Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')