_ _ _ _ _ _ ___|_|_| |_| | |_ ___ ___| |_| |_ |_ -| | . | . | | .'| _| _| | |___|_|___|___|_|_|__,|_| |_| |_|_| index about cveCommand Execution via Drag-and-Drop in Terminal Emulators
Published on 20.04.2026
Many people may not be aware that terminal emulators such as Kitty and xfce4-terminal support dragging and dropping of files into the terminal to insert the file's path directly at the cursor position. While this feature has existed for a while, more people have started to notice this as Claude Code has grown in popularity and allows users to drag and drop files for Claude to process.
But as we all know, fun features tend to come with fun vulnerabilities!
Proof of Concept
The payload used to achieve this is:
\x03 gnome-calculator \x0d.txtHere is a breakdown of what each part does:
\x03- End of Text, equivalent to pressing Ctrl+Cgnome-calculator- The command to be executed\x0D- Carriage Return, equivalent to pressing Enter
More details about these control characters and their history are covered in Portswigger's awesome research article by Zakhar Fedotkin. The short version is that the terminals interpret these characters literally, and since dragged file paths are inserted into the command line without any sanitization, the payload gets executed as if the user typed it themselves.
Realistic Attack Scenario
Imagine downloading a zip file or cloning a git repo
that contains a file with this payload as its filename.
You open your GUI file manager, spot a .txt
file, and drag it into your terminal to quickly
cat it, but instead of reading the file,
you've just executed a malicious command.
One might argue that the malicious payload would be visible in the filename, raising suspicion. But if a long string is prepended to the filename, most file managers will truncate it, hiding the payload.
Many Vulnerable Terminal Emulators
As shown below, this works in
xfce4-terminal as well.
Both vulnerabilities have been reported to the projects' maintainers and have been patched. However, no CVE has been assigned because MITRE has been unresponsive, likely due to the funding cuts.
Several other terminal emulators share the same vulnerability. I've reported it to their maintainers but have not received any response regarding a fix. In the meantime, I would recommend switching to a terminal emulator that is either not affected or has been patched, such as Ghostty (patched, originally found by Nguyen Thanh Son), Alacritty (does not support drag-and-drop), Kitty (patched), or XFCE4 Terminal (patched).