These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
The calibre e-book manager, prior to version 9.10.0, contains a vulnerability that allows for arbitrary Python code execution. This is achieved through a malicious EPUB, OPF, or PDF file that embeds a custom column definition with a python: template in calibre:user_metadata. When the metadata of such a file is read by calibre, including through the 'Add books' or 'Edit books' features, the embedded templa [truncated]
CVE-2026-54057 is a HIGH severity vulnerability in Kitty, a cross-platform GPU-based terminal. Versions prior to 0.47.3 are affected by an OSC 21 color-control query reply injection issue. An attacker can inject arbitrary bytes, including newlines, into the shell's input without sanitization. This vulnerability is addressed in version 0.47.3.
CVE-2026-54056 is a HIGH severity vulnerability in Kitty, a cross-platform GPU-based terminal. This vulnerability allows a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. The issue arises from the `kitten dnd` feature, where remote `text/uri-list` drops are staged in a temporary directory. On case-sensitive filesystems, duplicate remote base [truncated]
A local privilege escalation vulnerability exists in Kitty, a cross-platform GPU-based terminal, in versions prior to 0.47.2. The vulnerability is caused by a Time-of-Check-Time-of-Use (TOCTOU) race condition between symlink validation and file creation in Kitty's file transmission protocol. This allows a child process running in the terminal to write to arbitrary files on the filesystem by exploiting the [truncated]
CVE-2026-42851 is a high-severity vulnerability in Kitty, a cross-platform GPU-based terminal. Versions prior to 0.47.0 are affected, allowing an attacker to execute arbitrary Python code with the user's full privileges. The vulnerability has a CVSS score of 7.8 and is classified as HIGH.
CVE-2026-42850 is a command injection vulnerability in Kitty, a cross-platform GPU-based terminal. Versions prior to 0.47.0 are affected. An attacker can inject commands within the subshell through a special escape code that makes Kitty return an error. This error is not escaped and will be echoed back to the terminal with CRLF, allowing it to be run by the shell in use. To exploit this vulnerability, a v [truncated]
CVE-2026-33642 is a critical memory-safety issue in kitty’s graphics composition handling. According to the published advisory and NVD record, crafted escape sequences can cause integer wrapping in bounds validation, allowing out-of-bounds heap memory access in affected versions (0.46.2 and below). The issue is fixed in kitty 0.47.0.
CVE-2026-33633 is a heap buffer overflow in kitty’s load_image_data() path for APC graphics handling. A single crafted APC graphics protocol command with a PNG declaration (f=100) and an oversized payload can crash kitty, and the memory corruption raises concern for broader impact beyond denial of service. The issue is fixed in kitty 0.47.0.