CVE-2026-54057
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization.
Risk Assessment
Lack of input sanitization may lead to unauthorized command execution in the shell, posing a serious security risk to the system.
Recommendation
It is recommended to upgrade to version 0.47.3 or later to mitigate this vulnerability.
Original NVD description (English source)
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

