CVE-2026-54057

NameCVE-2026-54057
DescriptionKitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139898

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kitty (PTS)bullseye0.19.3-1vulnerable
bullseye (security)0.19.3-1+deb11u1vulnerable
bookworm0.26.5-5vulnerable
trixie0.41.1-2vulnerable
trixie (security)0.41.1-2+deb13u1vulnerable
forky, sid0.47.0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kittysource(unstable)(unfixed)1139898

Notes

https://github.com/kovidgoyal/kitty/security/advisories/GHSA-5gmr-9gwg-hhq6
Search for package or bug name: Reporting problems