CVE-2026-26982

Published: Mar 10, 2026Modified: Mar 13, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.

Affected (1)

Products: Ghostty: Ghostty

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ghostty Ghostty	Before 1.3.0

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://github.com/ghostty-org/ghostty/commit/fe7427ed2a1a02aef85495b384cfb8f11ee5efc9

Source: security-advisories@github.com

Patch

https://github.com/ghostty-org/ghostty/pull/10746

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/ghostty-org/ghostty/security/advisories/GHSA-4jxv-xgrp-5m3r

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.