CVE-2026-26982
Command Injection via Control Characters in Ghostty Terminal Emulator
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ghostty | ghostty | to 1.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26982 is a vulnerability in the Ghostty terminal emulator where control characters such as 0x03 (Ctrl+C) can be included in pasted or dragged-and-dropped text. These control characters are invisible in most graphical user interfaces and can be used to execute arbitrary commands in some shell environments like Bash and Zsh. The vulnerability arises because Ghostty does not properly neutralize these special control characters, allowing attackers to trick users into executing unintended commands by convincing them to paste or drop malicious text.'}, {'type': 'paragraph', 'content': "The issue was fixed in Ghostty version 1.3.0 by replacing a hardcoded set of unsafe control characters with spaces during paste operations, preventing these characters from being executed. This fix is inspired by xterm's handling of pasted text and mitigates the risk of command injection via pasted control characters."}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on your system if you are using a vulnerable version of Ghostty (up to version 1.2.3) and are tricked into pasting or dragging and dropping malicious text containing special control characters. Because these characters are invisible in most GUI environments, it is difficult to detect the malicious input.
The impact includes potential unauthorized actions such as running unintended commands, which can compromise the confidentiality, integrity, and availability of your system, although the CVSS score rates these impacts as low. The attack requires user interaction, so it cannot be exploited remotely without user involvement.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves invisible control characters such as 0x03 (Ctrl+C) embedded in pasted or dragged-and-dropped text within the Ghostty terminal emulator. Detection is challenging because these control characters are invisible in most graphical user interfaces and can be embedded in complex strings.
To detect potential exploitation attempts, you can monitor clipboard contents or input buffers for the presence of unsafe control characters that Ghostty versions prior to 1.3.0 do not sanitize. These characters include NUL (0x00), Backspace (0x08), ENQ (0x05), EOT (0x04), ESC (0x1B), DEL (0x7F), and terminal line discipline control characters such as VINTR (Ctrl+C, 0x03), VQUIT (Ctrl+\, 0x1C), VKILL (Ctrl+U, 0x15), VSUSP (Ctrl+Z, 0x1A), VSTART (Ctrl+Q, 0x11), VSTOP (Ctrl+S, 0x13), VWERASE (Ctrl+W, 0x17), VLNEXT (Ctrl+V, 0x16), VREPRINT (Ctrl+R, 0x12), and VDISCARD (Ctrl+O, 0x0F).
Commands to detect these control characters in text inputs or clipboard data could include using tools like `hexdump`, `xxd`, or `cat -v` to reveal non-printable characters. For example, you can inspect clipboard contents (on Linux) with: `xclip -o | xxd` or `xsel --clipboard --output | xxd` to look for suspicious control bytes.
Similarly, monitoring terminal input logs or shell history for unexpected command interruptions or unusual behavior triggered by control characters may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Ghostty to version 1.3.0 or later, where the vulnerability is fixed by replacing unsafe control characters with spaces during paste and drag-and-drop operations.
Until upgrading, users should avoid copying and pasting or dragging and dropping text from untrusted sources into Ghostty, as the attack requires user interaction to trigger.
There are no configuration options or workarounds available in affected versions to mitigate this vulnerability. Manual inspection and sanitization of clipboard and draggable content before pasting or dropping into Ghostty is recommended.