UBUNTU-CVE-2026-26982

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-26982

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26982.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-26982

Upstream

CVE-2026-26982

Published

2026-03-10T07:42:00Z

Modified

2026-05-20T16:24:49.929983218Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.

References

Affected packages

Ubuntu:26.04:LTS / ghostty

Package

Name: ghostty
Purl: pkg:deb/ubuntu/ghostty?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.0~us1-0ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "ghostty",
            "binary_version": "1.3.0~us1-0ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26982.json"