Tech Apr 19, 2026 11 min iTerm2 CVE-2026-41253: SSH Conductor Protocol Confusion Lets `cat readme.txt` Run Arbitrary Code A vulnerability in iTerm2 3.6.9 and earlier where simply displaying a malicious file with cat triggers local code execution. Caused by conductor impersonation in SSH Integration, fixed in 3.7.0. iTerm2 Security macOS SSH Terminal
