CVE-2026-42851
HIGH@kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE
Title source: cnaDescription
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/kovidgoyal/kitty/security/advisories/GHSA-w98g-hpvr-r332
Scores
CVSS v3
7.8
EPSS
0.0013
EPSS Percentile
2.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
CWE-94
Status
published
Products (1)
kovidgoyal/kitty
< 0.47.0
Published
Jun 12, 2026
Tracked Since
Jun 13, 2026