Remote Code Execution Vulnerability in Kitty Terminal by Kovid Goyal
CVE-2026-42851

7.8HIGH

Key Information:

Vendor

Kovidgoyal

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-42851?

The Kitty Terminal, a versatile GPU-based terminal, is susceptible to a vulnerability where an attacker can execute arbitrary Python code. Users can trigger this issue by sending crafted data to the terminal, allowing unauthorized command execution within the Kitty process itself. No user consent or system permissions are required to exploit this vulnerability, meaning that commands can run with full user privileges. This serious oversight poses a significant risk to users, especially if they handle untrusted remote SSH connections or process external content within the terminal. The issue is addressed in version 0.47.0.

Affected Version(s)

kitty < 0.47.0

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.