CVE-2026-26982 MEDIUM

CVE-2026-26982: Ghostty affected by arbitrary command execution via control characters in paste and drag-and-drop operations

Vendor Ghostty-Org

Product ghostty

Weakness CWE-78

Published March 9, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.

Key dates

02Disclosure timeline

March 9, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-26982

Related vulnerabilities

CVE-2026-26982: Ghostty affected by arbitrary command execution via control characters in paste and drag-and-drop operations

01Description

02Disclosure timeline

03References

04Related CVE