Skip to main content

Tabby CVE-2026-45035

| EUVDEUVD-2026-30568 CRITICAL
OS Command Injection (CWE-78)
2026-05-15 GitHub_M
9.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 18:02 EUVD
Analysis Generated
May 15, 2026 - 17:30 vuln.today
CVSS changed
May 15, 2026 - 17:22 NVD
9.4 (CRITICAL)

DescriptionGitHub Advisory

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.

AnalysisAI

Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute arbitrary OS commands via malicious tabby:// URL scheme links. When users click a crafted link containing tabby://run?command=..., Tabby spawns the specified command with full user privileges without any confirmation or sanitization. The vulnerability carries a CVSS 9.4 score due to network vector and high impact across all security dimensions.

Technical ContextAI

Tabby (formerly Terminus) is a cross-platform terminal emulator that registers itself as the handler for the custom tabby:// URL scheme. The vulnerability stems from unsafe command injection (CWE-78) in the URL scheme's 'run' command handler, which directly passes user-supplied input to the OS command execution function without validation. According to the CPE data (cpe:2.3:a:eugeny:tabby:*), all versions prior to 1.0.233 are affected across all platforms where Tabby runs.

RemediationAI

Upgrade to Tabby version 1.0.233 or later immediately, which fixes the URL scheme command injection vulnerability. Until patching is complete, consider unregistering Tabby as the tabby:// URL scheme handler at the OS level to prevent exploitation, though this will break legitimate URL-based functionality. User awareness training about suspicious links is critical since exploitation requires clicking a malicious URL. The vendor advisory is available at https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6.

Share

CVE-2026-45035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy