Input Validation Flaw in Kitty Terminal from Kovid Goyal
CVE-2026-54057

7.3HIGH

Key Information:

Vendor

Kovidgoyal

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54057?

Kitty Terminal, a cross-platform GPU-based terminal, is affected by a vulnerability that arises from its OSC 21 (color-control) query reply feature. In versions prior to 0.47.3, this functionality fails to properly sanitize attacker-controlled input, potentially allowing malicious data, including newlines, to be injected into the shell's input. This issue could lead to unexpected behavior in the terminal environment, exposing users to security risks. Version 0.47.3 has been released to address and rectify this vulnerability.

Affected Version(s)

kitty < 0.47.3

References

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.