CVEFinder.io

CVE-2020-35605

⛔ critical
🔍 Scan for this CVE
Summary

The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message.

CVSS Score
9.8
Critical
EPSS Score
5.5
Exploit Probability
Published Date
2020-12-21
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 329,456 vulnerabilities in our database.

#31,311
Top 10% most severe
Severity Percentile
Last Modified 2025-04-24
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

📦 Affected Products 2

Vendor Product Status Affected Versions
debian debian_linux Affected
v10.0
kovidgoyal kitty Affected
< 0.19.3

🔗 References 3

https://github.com/kovidgoyal/kitty/commit/82c137878...
Patch Third Party Advisory
https://github.com/kovidgoyal/kitty/issues/3128
Exploit Issue Tracking Third Party Advisory
https://www.debian.org/security/2020/dsa-4819
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-42850 ⚠️ high 8.8 0.2 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the ... 2026-06-12
CVE-2026-42851 ⚠️ high 7.8 0.1 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty term... 2026-06-12
CVE-2026-54055 🔶 medium 5.0 0.1 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability ex... 2026-06-12
CVE-2026-54056 ⚠️ high 7.6 0.2 Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote d... 2026-06-12
CVE-2026-54057 ⚠️ high 7.8 0.1 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply re... 2026-06-12
CVE-2026-49975 ⚠️ high 7.5 10.4 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service vi... 2026-06-08
These CVEs affect the same products