CVE-2026-26982 is a medium-severity OS command injection vulnerability affecting Ghostty, a cross-platform terminal emulator, in versions before 1.3.0. The root cause is the improper neutralization of special control characters (notably 0x03, Ctrl+C) in pasted or drag-and-dropped text. These control characters can be interpreted by certain shell environments to execute arbitrary commands, allowing an attacker to run code on the victim's system. The attack vector requires social engineering to convince a user to paste or drop crafted text containing these invisible control characters. Because these characters are not visually apparent in most graphical user interfaces, users may not detect the malicious input. The vulnerability impacts confidentiality, integrity, and availability by enabling command execution. The vulnerability was publicly disclosed on March 9, 2026, with no known exploits in the wild. The Ghostty development team addressed the issue in version 1.3.0 by properly sanitizing or blocking dangerous control characters in user input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and low impact on confidentiality, integrity, and availability individually but combined to medium overall severity.

If exploited, this vulnerability allows attackers to execute arbitrary OS commands on the victim's machine via the Ghostty terminal emulator. This can lead to unauthorized data disclosure, modification, or deletion, and potentially full system compromise depending on the commands executed and the privileges of the Ghostty process. Because the attack requires user interaction (pasting or dropping malicious text), the risk is somewhat mitigated but remains significant in environments where users frequently handle untrusted text or code snippets. Organizations using Ghostty in development, operations, or security contexts may face risks of data breaches, operational disruption, or lateral movement within networks. The stealthy nature of the attack—due to invisible control characters—makes detection difficult, increasing the likelihood of successful exploitation. The vulnerability affects all platforms supported by Ghostty, potentially impacting diverse environments globally.

The primary mitigation is to upgrade Ghostty to version 1.3.0 or later, where the vulnerability is fixed. Until upgrade, organizations should implement strict user education and awareness programs to prevent users from pasting or dropping untrusted or suspicious text into Ghostty. Employ endpoint security solutions capable of detecting anomalous command execution or suspicious terminal activity. Consider restricting the use of Ghostty to trusted users or environments and monitor logs for unusual command patterns. Additionally, sandboxing or running Ghostty with least privilege can limit the impact of potential exploitation. Developers and administrators should audit other terminal emulators or similar tools for similar input sanitization issues. Implementing input validation and sanitization at the application level is critical to prevent injection attacks.