Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
AnalysisAI
Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute arbitrary OS commands via malicious tabby:// URL scheme links. When users click a crafted link containing tabby://run?command=..., Tabby spawns the specified command with full user privileges without any confirmation or sanitization. The vulnerability carries a CVSS 9.4 score due to network vector and high impact across all security dimensions.
Technical ContextAI
Tabby (formerly Terminus) is a cross-platform terminal emulator that registers itself as the handler for the custom tabby:// URL scheme. The vulnerability stems from unsafe command injection (CWE-78) in the URL scheme's 'run' command handler, which directly passes user-supplied input to the OS command execution function without validation. According to the CPE data (cpe:2.3:a:eugeny:tabby:*), all versions prior to 1.0.233 are affected across all platforms where Tabby runs.
RemediationAI
Upgrade to Tabby version 1.0.233 or later immediately, which fixes the URL scheme command injection vulnerability. Until patching is complete, consider unregistering Tabby as the tabby:// URL scheme handler at the OS level to prevent exploitation, though this will break legitimate URL-based functionality. User awareness training about suspicious links is critical since exploitation requires clicking a malicious URL. The vendor advisory is available at https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6.
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containi
Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution
Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30568