CVE-2026-26982
MEDIUMghostty < 1.3.0 - OS Command Injection via Control Character Injection
Title source: llmDescription
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ghostty-org/ghostty/security/advisories/GHSA-4jxv-xgrp-5m3r
Issue Tracking x_refsource_misc
https://github.com/ghostty-org/ghostty/pull/10746
Scores
CVSS v3
6.3
EPSS
0.0004
EPSS Percentile
13.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
Status
published
Products (1)
ghostty/ghostty
< 1.3.0
Published
Mar 10, 2026
Tracked Since
Mar 10, 2026