Many people may not be aware that terminal emulators such as Tabby, Kitty and xfce4-terminal support dragging and dropping of files into the terminal to insert the file's path directly at the cursor position. While this feature has existed for a while, more people have started to notice this as Claude Code has grown in popularity and allows users to drag and drop files for Claude to process.
But as we all know, fun features tend to come with fun vulnerabilities!
The payload used to achieve this is:
\x03 gnome-calculator \x0d.txt
Here is a breakdown of what each part does:
\x03 - End of Text, equivalent to pressing Ctrl+C gnome-calculator - The command to be executed \x0D - Carriage Return, equivalent to pressing Enter
More details about these control characters and their history are covered in Portswigger's awesome research article by Zakhar Fedotkin. The short version is that the terminals interpret these characters literally, and since dragged file paths are inserted into the command line without any sanitization, the payload gets executed as if the user typed it themselves.
Imagine downloading a zip file or cloning a git repo that contains a file with this payload as its filename. You open your GUI file manager, spot a .txt file, and drag it into your terminal to quickly catit, but instead of reading the file, you've just executed a malicious command.
One might argue that the malicious payload would be visible in the filename, raising suspicion. But if a long string is prepended to the filename, most file managers will truncate it, hiding parts or the whole payload.
All three vulnerabilities have been reported to the projects' maintainers and have been patched. However, only the Tabby vulnerability has been assigned a CVE (CVE-2026-45038). This was requested through GitHub's CNA, while the other two vulnerabilities were submitted through MITRE, who has been unresponsive, likely due to recent funding cuts.
Several other terminal emulators share the same vulnerability. I've reported it to their maintainers but have not received any response regarding a fix. In the meantime, I would recommend switching to a terminal emulator that is either not affected or has been patched, such as Ghostty(patched, originally found by Nguyen Thanh Son), Alacritty (does not support drag-and-drop), Kitty (patched), or XFCE4 Terminal (patched).