Code Execution Vulnerability in iTerm2 by Itsyourtime, Affecting Multiple Versions
CVE-2026-41253

6.9MEDIUM

Key Information:

Vendor: Iterm2
Status: Iterm2
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-41253?

A vulnerability in iTerm2 allows for potential code execution when a .txt file is displayed. This issue arises under specific conditions where the working directory contains a maliciously named file, which exploits how the application handles the SSH conductor protocol. This exploitation can occur if the file name adheres to valid output expectations of the conductor encoding path, particularly those starting with 'ace/c+'. Users are encouraged to be vigilant when using iTerm2, especially with untrusted files and directories.

Affected Version(s)

iTerm2 0 <= 3.6.9

References

https://iterm2.com/downloads.html

https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not

https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cb...

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41253 Data

JSON

Iterm2

What is CVE-2026-41253?

Affected Version(s)

References

CVSS V3.1

Timeline