CVE-2026-42851
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal can cause kitty to execute attacker-supplied Python inside the running kitty process with the user's full privileges.
Risk Assessment
The lack of any user interaction and no remote-control permission requirements poses a serious security risk, allowing attackers to execute arbitrary code on the victim's system.
Recommendation
It is recommended to upgrade to version 0.47.0 or later to mitigate this vulnerability.
Original NVD description (English source)
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.

