CVE-2026-26982
📋 TL;DR
Ghostty terminal emulator versions before 1.3.0 allow control characters like Ctrl+C in pasted/dropped text, which can execute arbitrary commands in some shell environments. Attackers can craft malicious text that appears normal but contains invisible control characters, requiring user interaction via copy-paste or drag-drop. This affects all Ghostty users on vulnerable versions across platforms.
💻 Affected Systems
- Ghostty
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary command execution with user privileges, potentially leading to data theft, malware installation, or lateral movement.
Likely Case
Limited command execution in user's shell context, potentially stealing session data, modifying files, or launching further attacks.
If Mitigated
No impact if patched or workarounds applied; otherwise limited to user's privilege level with proper security controls.
🎯 Exploit Status
Exploitation requires social engineering to convince user to copy/paste malicious text. No authentication needed as it targets the user's active session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.3.0
Vendor Advisory: https://github.com/ghostty-org/ghostty/security/advisories/GHSA-4jxv-xgrp-5m3r
Restart Required: Yes
Instructions:
1. Update Ghostty to version 1.3.0 or later. 2. Restart Ghostty terminal. 3. Verify version with 'ghostty --version'.
🔧 Temporary Workarounds
Disable paste/drop execution
allConfigure shell to not execute commands from pasted text containing control characters
For bash: set -o ignoreeof
For zsh: setopt ignore_eof
Use alternative terminal
allTemporarily switch to another terminal emulator until patched
🧯 If You Can't Patch
- Train users to avoid copying/pasting untrusted text into terminal
- Implement application allowlisting to prevent unauthorized terminal usage
🔍 How to Verify
Check if Vulnerable:
Check Ghostty version: if below 1.3.0, system is vulnerableCheck Version:
ghostty --versionVerify Fix Applied:
Run 'ghostty --version' and confirm version is 1.3.0 or higher📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution following paste/drop operations
- Shell history showing commands with control characters
Network Indicators:
- Outbound connections following paste operations without user intent
SIEM Query:
Process creation where parent process is ghostty and command contains control characters