{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2026-26982","title":"Title"},{"category":"description","text":"Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2026-26982","url":"https://www.suse.com/security/cve/CVE-2026-26982"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1259440 for CVE-2026-26982","url":"https://bugzilla.suse.com/1259440"}],"title":"SUSE CVE CVE-2026-26982","tracking":{"current_release_date":"2026-03-15T00:24:04Z","generator":{"date":"2026-03-11T00:25:14Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2026-26982","initial_release_date":"2026-03-11T00:25:14Z","revision_history":[{"date":"2026-03-11T00:25:14Z","number":"2","summary":"vulnerabilities added,references added,severity changed from  to moderate"},{"date":"2026-03-15T00:24:04Z","number":"3","summary":"scores added,severity changed from moderate to important"}],"status":"interim","version":"3"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"ghostty-1.3.0-1.1","product":{"name":"ghostty-1.3.0-1.1","product_id":"ghostty-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-bash-completion-1.3.0-1.1","product":{"name":"ghostty-bash-completion-1.3.0-1.1","product_id":"ghostty-bash-completion-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-bash-completion@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-devel-1.3.0-1.1","product":{"name":"ghostty-devel-1.3.0-1.1","product_id":"ghostty-devel-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-devel@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-doc-1.3.0-1.1","product":{"name":"ghostty-doc-1.3.0-1.1","product_id":"ghostty-doc-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-doc@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-fish-completion-1.3.0-1.1","product":{"name":"ghostty-fish-completion-1.3.0-1.1","product_id":"ghostty-fish-completion-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-fish-completion@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-lang-1.3.0-1.1","product":{"name":"ghostty-lang-1.3.0-1.1","product_id":"ghostty-lang-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-lang@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-neovim-1.3.0-1.1","product":{"name":"ghostty-neovim-1.3.0-1.1","product_id":"ghostty-neovim-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-neovim@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-nushell-completion-1.3.0-1.1","product":{"name":"ghostty-nushell-completion-1.3.0-1.1","product_id":"ghostty-nushell-completion-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-nushell-completion@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-vim-1.3.0-1.1","product":{"name":"ghostty-vim-1.3.0-1.1","product_id":"ghostty-vim-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-vim@1.3.0-1.1"}}},{"category":"product_version","name":"ghostty-zsh-completion-1.3.0-1.1","product":{"name":"ghostty-zsh-completion-1.3.0-1.1","product_id":"ghostty-zsh-completion-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ghostty-zsh-completion@1.3.0-1.1"}}},{"category":"product_version","name":"libghostty-vt0-1.3.0-1.1","product":{"name":"libghostty-vt0-1.3.0-1.1","product_id":"libghostty-vt0-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/libghostty-vt0@1.3.0-1.1"}}},{"category":"product_version","name":"nautilus-extension-ghostty-1.3.0-1.1","product":{"name":"nautilus-extension-ghostty-1.3.0-1.1","product_id":"nautilus-extension-ghostty-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/nautilus-extension-ghostty@1.3.0-1.1"}}},{"category":"product_version","name":"terminfo-ghostty-1.3.0-1.1","product":{"name":"terminfo-ghostty-1.3.0-1.1","product_id":"terminfo-ghostty-1.3.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/terminfo-ghostty@1.3.0-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ghostty-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-1.3.0-1.1"},"product_reference":"ghostty-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-bash-completion-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-bash-completion-1.3.0-1.1"},"product_reference":"ghostty-bash-completion-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-devel-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-devel-1.3.0-1.1"},"product_reference":"ghostty-devel-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-doc-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-doc-1.3.0-1.1"},"product_reference":"ghostty-doc-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-fish-completion-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-fish-completion-1.3.0-1.1"},"product_reference":"ghostty-fish-completion-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-lang-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-lang-1.3.0-1.1"},"product_reference":"ghostty-lang-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-neovim-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-neovim-1.3.0-1.1"},"product_reference":"ghostty-neovim-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-nushell-completion-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-nushell-completion-1.3.0-1.1"},"product_reference":"ghostty-nushell-completion-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-vim-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-vim-1.3.0-1.1"},"product_reference":"ghostty-vim-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ghostty-zsh-completion-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ghostty-zsh-completion-1.3.0-1.1"},"product_reference":"ghostty-zsh-completion-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"libghostty-vt0-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:libghostty-vt0-1.3.0-1.1"},"product_reference":"libghostty-vt0-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"nautilus-extension-ghostty-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:nautilus-extension-ghostty-1.3.0-1.1"},"product_reference":"nautilus-extension-ghostty-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"terminfo-ghostty-1.3.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:terminfo-ghostty-1.3.0-1.1"},"product_reference":"terminfo-ghostty-1.3.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2026-26982","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2026-26982"}],"notes":[{"category":"general","text":"Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:ghostty-1.3.0-1.1","openSUSE Tumbleweed:ghostty-bash-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-devel-1.3.0-1.1","openSUSE Tumbleweed:ghostty-doc-1.3.0-1.1","openSUSE Tumbleweed:ghostty-fish-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-lang-1.3.0-1.1","openSUSE Tumbleweed:ghostty-neovim-1.3.0-1.1","openSUSE Tumbleweed:ghostty-nushell-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-vim-1.3.0-1.1","openSUSE Tumbleweed:ghostty-zsh-completion-1.3.0-1.1","openSUSE Tumbleweed:libghostty-vt0-1.3.0-1.1","openSUSE Tumbleweed:nautilus-extension-ghostty-1.3.0-1.1","openSUSE Tumbleweed:terminfo-ghostty-1.3.0-1.1"]},"references":[{"category":"external","summary":"CVE-2026-26982","url":"https://www.suse.com/security/cve/CVE-2026-26982"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1259440 for CVE-2026-26982","url":"https://bugzilla.suse.com/1259440"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:ghostty-1.3.0-1.1","openSUSE Tumbleweed:ghostty-bash-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-devel-1.3.0-1.1","openSUSE Tumbleweed:ghostty-doc-1.3.0-1.1","openSUSE Tumbleweed:ghostty-fish-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-lang-1.3.0-1.1","openSUSE Tumbleweed:ghostty-neovim-1.3.0-1.1","openSUSE Tumbleweed:ghostty-nushell-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-vim-1.3.0-1.1","openSUSE Tumbleweed:ghostty-zsh-completion-1.3.0-1.1","openSUSE Tumbleweed:libghostty-vt0-1.3.0-1.1","openSUSE Tumbleweed:nautilus-extension-ghostty-1.3.0-1.1","openSUSE Tumbleweed:terminfo-ghostty-1.3.0-1.1"]}],"scores":[{"cvss_v3":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["openSUSE Tumbleweed:ghostty-1.3.0-1.1","openSUSE Tumbleweed:ghostty-bash-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-devel-1.3.0-1.1","openSUSE Tumbleweed:ghostty-doc-1.3.0-1.1","openSUSE Tumbleweed:ghostty-fish-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-lang-1.3.0-1.1","openSUSE Tumbleweed:ghostty-neovim-1.3.0-1.1","openSUSE Tumbleweed:ghostty-nushell-completion-1.3.0-1.1","openSUSE Tumbleweed:ghostty-vim-1.3.0-1.1","openSUSE Tumbleweed:ghostty-zsh-completion-1.3.0-1.1","openSUSE Tumbleweed:libghostty-vt0-1.3.0-1.1","openSUSE Tumbleweed:nautilus-extension-ghostty-1.3.0-1.1","openSUSE Tumbleweed:terminfo-ghostty-1.3.0-1.1"]}],"threats":[{"category":"impact","date":"2026-03-10T09:00:45Z","details":"important"}],"title":"CVE-2026-26982"}]}