216.73.216.242

CVE-2026-54056

· Published 12/06/2026 23:16 · Modified 12/06/2026 21:16 · Author: The MITRE Corporation

Labels: CVE-2026-54056 2026-06-12CVE-2026-54056CWE-59[email protected]

Essential information

Published
12/06/2026 23:16
Modified
12/06/2026 21:16
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.1 HIGH (v3.1)
CISA KEV
No
CWE
CWE-59
EPSS (First)
P8.9% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00029)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

CVSS metrics

Description

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
kitty / kitty cpe:2.3:a:kitty:kitty:0.47.0:*:*:*:*:*:*:*
kitty / kitty cpe:2.3:a:kitty:kitty:0.47.1:*:*:*:*:*:*:*

References