Skip to main content

Tabby CVE-2026-45037

| EUVDEUVD-2026-30569 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-05-15 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 15, 2026 - 18:02 EUVD
Analysis Generated
May 15, 2026 - 17:31 vuln.today

DescriptionGitHub Advisory

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.

AnalysisAI

Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. EPSS data unavailable, not currently in CISA KEV, indicating no confirmed active exploitation at this time.

Technical ContextAI

Tabby (formerly Terminus) is a cross-platform terminal emulator built on web technologies. The vulnerability lies in the terminal's linkifier component which automatically detects and converts URIs in terminal output to clickable hyperlinks. The root cause is improper neutralization of special elements (CWE-184) - the linkifier fails to validate or sanitize protocol schemes before passing URIs to the operating system's protocol handler, allowing dangerous schemes beyond standard http/https.

RemediationAI

Vendor-released patch: upgrade to Tabby version 1.0.232 or later which implements proper protocol validation. For users unable to immediately upgrade, avoid connecting to untrusted SSH or Telnet servers and exercise caution before clicking any links that appear in terminal output. Consider disabling automatic link detection in Tabby settings if the feature exists, though this trades off convenience for security.

Share

CVE-2026-45037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy