{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41253", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-18T05:27:07.778Z", "datePublished": "2026-04-18T05:27:08.202Z", "dateUpdated": "2026-04-20T15:52:10.357Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "iTerm2", "vendor": "iTerm2", "versions": [{"lessThanOrEqual": "3.6.9", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka \"hypothetical in-band signaling abuse.\" This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-18T05:32:12.583Z"}, "references": [{"url": "https://iterm2.com/downloads.html"}, {"url": "https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not"}, {"url": "https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86"}, {"url": "https://news.ycombinator.com/item?id=47809190"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:iterm2:iterm2:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.6.9"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:51:58.997961Z", "id": "CVE-2026-41253", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:52:10.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41253", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T15:51:58.997961Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:52:06.515Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "iTerm2", "product": "iTerm2", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6.9"}], "defaultStatus": "unknown"}], "references": [{"url": "https://iterm2.com/downloads.html"}, {"url": "https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not"}, {"url": "https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86"}, {"url": "https://news.ycombinator.com/item?id=47809190"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka \"hypothetical in-band signaling abuse.\" This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:iterm2:iterm2:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.6.9"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-18T05:32:12.583Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41253", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:52:10.357Z", "dateReserved": "2026-04-18T05:27:07.778Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-18T05:27:08.202Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka \"hypothetical in-band signaling abuse.\" This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session."}], "id": "CVE-2026-41253", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.5, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-18T06:16:17.427", "references": [{"source": "cve@mitre.org", "url": "https://blog.calif.io/p/mad-bugs-even-cat-readmetxt-is-not"}, {"source": "cve@mitre.org", "url": "https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30b884a16617cd5495899f86"}, {"source": "cve@mitre.org", "url": "https://iterm2.com/downloads.html"}, {"source": "cve@mitre.org", "url": "https://news.ycombinator.com/item?id=47809190"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.9]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "iTerm2", "source": "cna", "vendor": "iTerm2"}, "product": "iterm2", "vendor": "iterm2"}], "analysis": {"en": {"generated_at": "2026-04-18T19:24:48.645113+00:00", "value": {"mitigation_remediation": ["Upgrade iTerm2 to the latest release that removes the vulnerable handling of the SSH conductor escape sequences.", "Until an upgrade is available, avoid opening plain\u2011text files that are stored in directories containing files with unusual or suspicious names such as those beginning with \"ace/c+\", and verify file names before viewing.", "Run iTerm2 with minimal privileges or in a sandboxed environment to limit the impact should exploitation occur."], "summary": {"action": "Immediate Patch", "impact": "Local Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is iTerm2 from the vendor iTerm2. Versions up to and including 3.6.9 experience the flaw. All earlier releases prior to 3.6.9 are not noted as affected, and no fix version is given in the CVE data.", "description_and_impact": "The vulnerability allows a local attacker to execute arbitrary code when viewing a plain\u2011text file in iTerm2. It arises because the application accepts SSH conductor escape sequences from terminal output that does not belong to a legitimate conductor session, causing DCS 2000p and OSC 135 sequences to be interpreted. When the working directory contains a specially crafted file whose name matches the expected conductor\u2011encoded path\u2014such as a name beginning with \"ace/c+\"\u2014the embedded escape sequences can trigger code execution. This weakness is classified as CWE\u2011829.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires a local user to open a .txt file in a directory that contains a maliciously named file, the vector is local. Exploit conditions include presence of properly encoded filename and the ability to view the file content in iTerm2. The overall risk is moderate for users who routinely open untrusted text files from directories that may contain unknown file names."}}}}, "created": "2026-04-18T08:00:05.676202+00:00", "title": "Local Code Execution via SSH Conductor Escape Sequences in iTerm2", "updated": "2026-04-18T19:30:08.938331+00:00", "vendors": ["iterm2", "iterm2$PRODUCT$iterm2"]}