VYPR

Kitty

by Kovidgoyal

Source repositories

CVEs (9)

  • CVE-2026-33642CriMay 19, 2026
    risk 0.57cvss 9.9epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to…

  • CVE-2026-42850HigJun 12, 2026
    risk 0.50cvss 8.8epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the…

  • CVE-2026-54057HigJun 12, 2026
    risk 0.44cvss 7.8epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

  • CVE-2026-42851HigJun 12, 2026
    risk 0.44cvss 7.8epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty…

  • CVE-2026-54056HigJun 12, 2026
    risk 0.42cvss 7.6epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary…

  • CVE-2026-33633HigMay 19, 2026
    risk 0.42cvss 7.5epss 0.00

    Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics…

  • CVE-2026-54055MedJun 12, 2026
    risk 0.26cvss 5.0epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU…

  • CVE-2025-43929MedApr 20, 2025
    risk 0.00cvss 4.1epss 0.00

    open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

  • CVE-2022-41322HigSep 23, 2022
    risk 0.00cvss 7.8epss 0.00

    In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup.