Terminal emulators like Kitty and xfce4-terminal are vulnerable to command injection via drag-and-drop file insertion. Filenames containing control characters (e.g., Ctrl+C, command, Enter) execute arbitrary commands without sanitization. Attackers can exploit this through malicious files in downloaded archives or cloned repositories.
Safety
Command Execution via Drag-and-Drop in Terminal Emulators
Kitty, xfce4-terminal, and other popular terminal emulators execute arbitrary commands when users drag-and-drop files with control-character-embedded filenames.
Tuesday, April 21, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
safety