{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-54056/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-12T20:06:06.437Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-54056","@id":"https://www.cve.org/CVERecord?id=CVE-2026-54056","description":"Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt"},"products":[{"@id":"cpe:2.3:a:kovidgoyal:kitty:\\>\\=_0.47.0\\,_\\<_0.47.2:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:kovidgoyal:kitty:\\>\\=_0.47.0\\,_\\<_0.47.2:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-12T20:06:06.437Z"}]}