Cyber Resilience

CVE-2026-26982

Medium

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0031 22.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-26982 is a medium-severity OS Command Injection (CWE-78) vulnerability in Ghostty Ghostty. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Copy and Paste (T1204.004); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26982 is a vulnerability in Ghostty, a cross-platform terminal emulator, that permits control characters such as 0x03 (Ctrl+C) within pasted or dropped text. These characters can trigger execution of arbitrary commands in certain shell environments, classified as CWE-78 (OS Command Injection). The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and was published on 2026-03-10.

An attacker can exploit this by convincing a user to copy and paste or drag and drop text containing the malicious invisible control characters, which are not easily detectable in most GUI environments, particularly amid complex strings. No privileges are required, but user interaction is necessary to trigger the attack, potentially allowing low-level impacts on confidentiality, integrity, and availability through arbitrary command execution in the targeted shell.

The vulnerability has been addressed in Ghostty version 1.3.0. Official mitigation details are available in the Ghostty security advisory (GHSA-4jxv-xgrp-5m3r), the fixing pull request (#10746), and the commit (fe7427ed2a1a02aef85495b384cfb8f11ee5efc9), recommending users upgrade to the patched release.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user…

more

to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.004 Malicious Copy and Paste Execution
An adversary may rely upon a user copying and pasting code in order to gain execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vuln enables OS command injection via unsanitized control chars in paste/drag-drop input, directly facilitating T1204.004 (Malicious Copy and Paste) attacks that result in arbitrary execution via T1059.004 (Unix Shell).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55590Shared CWE-78
CVE-2026-45629Shared CWE-78
CVE-2026-45630Shared CWE-78
CVE-2025-34227Shared CWE-78
CVE-2026-1460Shared CWE-78
CVE-2025-22606Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2026-31386Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78

Affected Assets

ghostty
ghostty
≤ 1.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input (including clipboard paste and drag-drop) to reject or neutralize dangerous control characters before they reach the shell.

prevent

Mandates prompt application of the vendor patch (Ghostty v1.3.0) that removes the ability to pass raw control characters from paste/drop operations.

preventdetect

Provides malicious-code and command-injection protections that can block or alert on the arbitrary command execution attempted via the injected control characters.

References