CVE-2026-26982
Published: 10 March 2026
Summary
CVE-2026-26982 is a medium-severity OS Command Injection (CWE-78) vulnerability in Ghostty Ghostty. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Copy and Paste (T1204.004); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26982 is a vulnerability in Ghostty, a cross-platform terminal emulator, that permits control characters such as 0x03 (Ctrl+C) within pasted or dropped text. These characters can trigger execution of arbitrary commands in certain shell environments, classified as CWE-78 (OS Command Injection). The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and was published on 2026-03-10.
An attacker can exploit this by convincing a user to copy and paste or drag and drop text containing the malicious invisible control characters, which are not easily detectable in most GUI environments, particularly amid complex strings. No privileges are required, but user interaction is necessary to trigger the attack, potentially allowing low-level impacts on confidentiality, integrity, and availability through arbitrary command execution in the targeted shell.
The vulnerability has been addressed in Ghostty version 1.3.0. Official mitigation details are available in the Ghostty security advisory (GHSA-4jxv-xgrp-5m3r), the fixing pull request (#10746), and the commit (fe7427ed2a1a02aef85495b384cfb8f11ee5efc9), recommending users upgrade to the patched release.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10363
Vulnerability details
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user…
more
to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables OS command injection via unsanitized control chars in paste/drag-drop input, directly facilitating T1204.004 (Malicious Copy and Paste) attacks that result in arbitrary execution via T1059.004 (Unix Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input (including clipboard paste and drag-drop) to reject or neutralize dangerous control characters before they reach the shell.
Mandates prompt application of the vendor patch (Ghostty v1.3.0) that removes the ability to pass raw control characters from paste/drop operations.
Provides malicious-code and command-injection protections that can block or alert on the arbitrary command execution attempted via the injected control characters.