cvedb.io
CVE-2026-41253
MEDIUM · CVSS 6.9
EPSS exploitation probability: 0%
Published 2026-04-18T06:16:17.427 · Last modified 2026-06-17T10:46:23.350

Summary

In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.

Affected products

iterm2 — iterm2

Does this affect you?

Add your gear to cvedb and we'll alert you only when iterm2 ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.