CVE-2026-54056

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses utils.CreateAt() / openat(O RDWR|O CREAT|O TRUNC) without O NOFOLLOW, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects kitten dnd remote drag-and-drop staging, uses different vulnerable code (kittens/dnd/drop.go and tools/utils/file at fd.go), and reproduces on commit 4aa4a5c0567a92553a8c20a88a4352da637fca5d, after the file-transfer O NOFOLLOW fix. Version 0.47.2 patches the issue.