KiTTY versions 0.76.1.13 and below suffer from a command injection vulnerability when getting a remote file through scp. It appears to leverage an ANSI escape sequence issue which is quite an interesting vector of attack.
9f28adde33c5791a14e7705f8844a344ce30e9443338e16ab264e1393fd4e9a8