PatchSiren cyber security CVE debrief
CVE-2026-54057 kovidgoyal CVE debrief
CVE-2026-54057 is a HIGH severity vulnerability in Kitty, a cross-platform GPU-based terminal. Versions prior to 0.47.3 are affected by an OSC 21 color-control query reply injection issue. An attacker can inject arbitrary bytes, including newlines, into the shell's input without sanitization. This vulnerability is addressed in version 0.47.3.
- Vendor
- kovidgoyal
- Product
- kitty
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Kitty terminal versions prior to 0.47.3 should update to the latest version to mitigate this vulnerability.
Technical summary
Kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes into the shell's input without sanitization. This allows an attacker to inject arbitrary input, potentially leading to code execution or other malicious activities.
Defensive priority
HIGH
Recommended defensive actions
- Update Kitty to version 0.47.3 or later.
Evidence notes
CVE-2026-54057 has a CVSS score of 7.3 and is classified as HIGH severity. The vulnerability is addressed in Kitty version 0.47.3.
Official resources
-
CVE-2026-54057 CVE record
CVE.org
-
CVE-2026-54057 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-54057 was published on 2026-06-12T21:16:24.610Z and has not been modified since then.