What is the CVSS score of CVE-2026-45037?

CVE-2026-45037 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Tabby are affected by CVE-2026-45037?

Tabby terminal emulator versions before 1.0.232 contain a URI handling vulnerability that allows remote attackers to execute arbitrary OS commands through malicious protocol handlers when users click…. A patch is available.

How to fix or mitigate CVE-2026-45037?

Within 24 hours: Inventory all Tabby installations across the organization and identify current versions in use. Within 7 days: Upgrade Tabby to version 1.0.232 or later on all affected systems; if upgrade is unavailable, implement the compensating control listed below. Within 30 days: Conduct post-upgrade validation and disable SSH/Telnet access from untrusted servers where feasible; implement endpoint detection and response (EDR) monitoring for suspicious process execution originating from terminal applications.

Tabby CVE-2026-45037

EUVD-2026-30569 HIGH

Incomplete List of Disallowed Inputs (CWE-184)

2026-05-15 GitHub_M

Information Disclosure

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

May 15, 2026 - 18:02 EUVD

Analysis Generated

May 15, 2026 - 17:31 vuln.today

DescriptionNVD

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.

AnalysisAI

Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. …

RemediationAI

Within 24 hours: Inventory all Tabby installations across the organization and identify current versions in use. Within 7 days: Upgrade Tabby to version 1.0.232 or later on all affected systems; if upgrade is unavailable, implement the compensating control listed below. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45037 vulnerability details – vuln.today

Back