CVEFinder.io

CVE-2026-42851

⚠️ high
🔍 Scan for this CVE
Summary

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard tou

Description

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.

CVSS Score
7.8
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-06-12
First Seen: 2026-06-13
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 329,456 vulnerabilities in our database.

#100,230
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 16, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-06-16
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-94 CWE-862

📦 Affected Products 1

Vendor Product Status Affected Versions
kovidgoyal kitty Affected
< 0.47.0

🔗 References 1

https://github.com/kovidgoyal/kitty/security/advisor...
Exploit Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-42850 ⚠️ high 8.8 0.2 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the ... 2026-06-12
CVE-2026-54055 🔶 medium 5.0 0.1 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability ex... 2026-06-12
CVE-2026-54056 ⚠️ high 7.6 0.2 Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote d... 2026-06-12
CVE-2026-54057 ⚠️ high 7.8 0.1 Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply re... 2026-06-12
CVE-2026-33633 ⚠️ high 7.5 0.0 Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_dat... 2026-05-19
CVE-2026-33642 ⛔ critical 9.9 0.1 Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kit... 2026-05-19
These CVEs affect the same products