CVE-2026-54057

Summary

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
kovidgoyalkitty< 0.47.3affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-150: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References