CVE-2026-42850: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in kovidgoyal kitty
Kitty terminal versions prior to 0.47.0 contain a command injection vulnerability. An attacker can exploit a specially crafted escape code that triggers an unescaped error message echoed back to the terminal, which the shell then executes. Exploitation requires the victim to use netcat or a similar tool to connect to the attacker or listen for incoming connections. Version 0.47.0 addresses this issue.
AI Analysis
Technical Summary
CVE-2026-42850 is a command injection vulnerability (CWE-77) in the kitty terminal software before version 0.47.0. The vulnerability arises because a special escape code causes kitty to return an error message that is not properly escaped and is echoed back to the terminal with CRLF characters. This echoed error is interpreted and executed by the shell in use, allowing an attacker to run arbitrary commands. Exploitation requires the victim to establish a network connection using netcat or similar tools to the attacker or vice versa. The vulnerability is fixed in kitty version 0.47.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary commands on the victim's system via the shell, potentially leading to full system compromise. The attack requires user interaction and network conditions (netcat or similar connection). There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade kitty to version 0.47.0 or later, where this command injection vulnerability is fixed. No official patch advisory is provided, but the fix is included in the stated version update. Until upgrading, avoid using netcat or similar tools that expose the terminal to attacker-controlled input that could trigger the vulnerability.
CVE-2026-42850: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in kovidgoyal kitty
Description
Kitty terminal versions prior to 0.47.0 contain a command injection vulnerability. An attacker can exploit a specially crafted escape code that triggers an unescaped error message echoed back to the terminal, which the shell then executes. Exploitation requires the victim to use netcat or a similar tool to connect to the attacker or listen for incoming connections. Version 0.47.0 addresses this issue.
CVSS v4.0
Score 7.4high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42850 is a command injection vulnerability (CWE-77) in the kitty terminal software before version 0.47.0. The vulnerability arises because a special escape code causes kitty to return an error message that is not properly escaped and is echoed back to the terminal with CRLF characters. This echoed error is interpreted and executed by the shell in use, allowing an attacker to run arbitrary commands. Exploitation requires the victim to establish a network connection using netcat or similar tools to the attacker or vice versa. The vulnerability is fixed in kitty version 0.47.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary commands on the victim's system via the shell, potentially leading to full system compromise. The attack requires user interaction and network conditions (netcat or similar connection). There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade kitty to version 0.47.0 or later, where this command injection vulnerability is fixed. No official patch advisory is provided, but the fix is included in the stated version update. Until upgrading, avoid using netcat or similar tools that expose the terminal to attacker-controlled input that could trigger the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.378Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c6778e617e2d834bac51b
Added to database: 6/12/2026, 8:09:28 PM
Last enriched: 6/12/2026, 8:24:21 PM
Last updated: 6/12/2026, 9:10:48 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.