PatchSiren cyber security CVE debrief
CVE-2026-54056 kovidgoyal CVE debrief
CVE-2026-54056 is a HIGH severity vulnerability in Kitty, a cross-platform GPU-based terminal. This vulnerability allows a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. The issue arises from the `kitten dnd` feature, where remote `text/uri-list` drops are staged in a temporary directory. On case-sensitive filesystems, duplicate remote basenames are not de-duplicated, allowing an attacker to create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, enabling the attacker to write outside the staging directory before final overwrite confirmation runs. This vulnerability is patched in version 0.47.2.
- Vendor
- kovidgoyal
- Product
- kitty
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Kitty versions 0.47.0 and 0.47.1 should update to version 0.47.2 to mitigate this vulnerability.
Technical summary
The vulnerability is caused by the lack of proper handling of duplicate remote basenames in the `kitten dnd` feature. An attacker can exploit this by creating a staged symlink and then sending a same-name regular-file entry, allowing them to write outside the staging directory.
Defensive priority
HIGH
Recommended defensive actions
- Update Kitty to version 0.47.2 or later.
- Use secure drag-and-drop sources.
- Monitor for suspicious activity.
Evidence notes
CVE-2026-54056 has a CVSS score of 7.6 and is classified as HIGH severity. The vulnerability is related to CWE-59.
Official resources
-
CVE-2026-54056 CVE record
CVE.org
-
CVE-2026-54056 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-54056 was published on 2026-06-12T21:16:24.463Z and has not been modified since then.