CVE-2026-42850
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
In versions prior to 0.47.0 of the Kitty terminal, it is possible to inject commands into the subshell through a Kitty error. A special escape code causes Kitty to return an error that is not properly escaped and is correctly echoed back to the terminal, allowing it to be executed by the shell in use.
Risk Assessment
An attacker could take control of the victim's computer by using a special Kitty escape code to run a command in the shell in use. This requires the victim to connect to the attacker using netcat or a similar program.
Recommendation
It is recommended to update the Kitty terminal to version 0.47.0 or later to mitigate this vulnerability. Additionally, avoid using unknown network connections that could lead to such attacks.
Original NVD description (English source)
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.

