Remote Drag-and-Drop Vulnerability in Kitty Terminal by Kovid Goyal
CVE-2026-54056
7.6HIGH
What is CVE-2026-54056?
The Kitty terminal, a cross-platform GPU-based application, has a vulnerability in its remote drag-and-drop feature. In affected versions 0.47.0 and 0.47.1, the kitten dnd functionality enables a malicious actor to overwrite or truncate files that are writable by the local user. This happens due to a flaw in how the application handles remote file drops. When multiple files share the same name on a case-sensitive filesystem, the system does not adequately de-duplicate them. An attacker can exploit this to create a symlink, allowing them to manipulate file writes outside of designated staging directories. The issue is caused by inappropriate file handling within the code, and has been addressed in version 0.47.2.
Affected Version(s)
kitty >= 0.47.0, < 0.47.2
