Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Ghostty Terminal Emulator: Hidden Commands in Pasted Text
CVE-2026-26982
Summary
Ghostty, a terminal emulator for Windows, macOS, and Linux, allows malicious text to execute arbitrary commands in some shell environments if copied and pasted or dropped into the program. This means an attacker can trick a user into pasting malicious text, which can be difficult to detect because the hidden characters are invisible in most graphical user interfaces. Update to the latest version of Ghostty, v1.3.0, to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ghostty | ghostty | <= 1.3.0 | – |
Original title
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell envi...
Original description
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.
nvd CVSS3.1
6.3
Vulnerability type
CWE-78
OS Command Injection
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026