CVE Catalog

CVE-2026-42851

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal can cause kitty to execute attacker-supplied Python inside the running kitty process with the user's full privileges.

Risk Assessment

The lack of any user interaction and no remote-control permission requirements poses a serious security risk, allowing attackers to execute arbitrary code on the victim's system.

Recommendation

It is recommended to upgrade to version 0.47.0 or later to mitigate this vulnerability.

Original NVD description (English source)

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS