CVE-2026-26982HIGH 8.8EPSS p22.2%

CVE-2026-26982CVE-2026-26982

Description

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.2% · 2026-06-18T12:00:27Z
Published2026-03-10
Last modified2026-03-13

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/ghostty-org/ghostty/commit/fe7427ed2a1a02aef85495b384cfb8f11ee5efc9
  2. https://github.com/ghostty-org/ghostty/pull/10746
  3. https://github.com/ghostty-org/ghostty/security/advisories/GHSA-4jxv-xgrp-5m3r

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-29053
CVE
CVE-2025-61492
CVE
CVE-2026-30305
CVE
CVE-2026-26068
CVE
CVE-2026-22708
CVE
CVE-2026-21518
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.