Remote Drag-and-Drop Vulnerability in Kitty Terminal by Kovid Goyal
CVE-2026-54056

7.6HIGH

Key Information:

Vendor

Kovidgoyal

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54056?

The Kitty terminal, a cross-platform GPU-based application, has a vulnerability in its remote drag-and-drop feature. In affected versions 0.47.0 and 0.47.1, the kitten dnd functionality enables a malicious actor to overwrite or truncate files that are writable by the local user. This happens due to a flaw in how the application handles remote file drops. When multiple files share the same name on a case-sensitive filesystem, the system does not adequately de-duplicate them. An attacker can exploit this to create a symlink, allowing them to manipulate file writes outside of designated staging directories. The issue is caused by inappropriate file handling within the code, and has been addressed in version 0.47.2.

Affected Version(s)

kitty >= 0.47.0, < 0.47.2

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.