CVE-2026-54056
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
In versions 0.47.0 and 0.47.1 of the Kitty terminal, the `kitten dnd` feature can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. The issue arises from the lack of de-duplication of filenames on case-sensitive filesystems.
Risk Assessment
An attacker can exploit this vulnerability to overwrite important files on the victim's system, potentially leading to data loss or system compromise. Organizations should be aware of the risks associated with using vulnerable versions of the software.
Recommendation
It is recommended to upgrade to version 0.47.2, which fixes this vulnerability. Additionally, consider restricting the use of drag-and-drop features in high-risk environments.
Original NVD description (English source)
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.

