CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Iterm2: >> Iterm2 >> 3.5.15 Security Vulnerabilities

CVE-2026-41253

In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.

CVSS Score

6.9

EPSS Score

0.002

Published

2026-04-18

Page 1

Vulnerabilities

Vulnerable Software

Iterm2: >> Iterm2 >> 3.5.15 Security Vulnerabilities

Products

Pricing

Contact Us