PatchSiren cyber security CVE debrief
CVE-2026-42850 kovidgoyal CVE debrief
CVE-2026-42850 is a command injection vulnerability in Kitty, a cross-platform GPU-based terminal. Versions prior to 0.47.0 are affected. An attacker can inject commands within the subshell through a special escape code that makes Kitty return an error. This error is not escaped and will be echoed back to the terminal with CRLF, allowing it to be run by the shell in use. To exploit this vulnerability, a victim must use a netcat or similar program to connect to the attacker or listen for incoming connections. Once this condition is set, an attacker could potentially take control of the victim's computer using a special Kitty escape code that runs a command in the shell in use. The vulnerability has a CVSS score of 7.4 and is classified as HIGH severity.
- Vendor
- kovidgoyal
- Product
- kitty
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Kitty terminal versions prior to 0.47.0 should update to version 0.47.0 or later to mitigate this vulnerability. Additionally, administrators and security teams should be aware of the potential risks associated with this vulnerability and take steps to protect their systems.
Technical summary
The vulnerability exists due to Kitty's handling of a special escape code that returns an error. This error is not properly escaped and can be used to inject commands into the subshell. An attacker can exploit this vulnerability by having a victim connect to them using netcat or a similar program, and then using a special Kitty escape code to run a command in the shell in use.
Defensive priority
HIGH
Recommended defensive actions
- Update Kitty to version 0.47.0 or later.
- Use secure communication protocols to protect against exploitation.
- Monitor systems for suspicious activity.
Evidence notes
CVE-2026-42850 has been documented in the official CVE record [cve-org] and the National Vulnerability Database [nvd]. Additional information can be found in the security advisory [ref-4].
Official resources
-
CVE-2026-42850 CVE record
CVE.org
-
CVE-2026-42850 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-42850 was published on 2026-06-12T20:16:45.283Z and has not been modified since then.