Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.
AnalysisAI
Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. EPSS data unavailable, not currently in CISA KEV, indicating no confirmed active exploitation at this time.
Technical ContextAI
Tabby (formerly Terminus) is a cross-platform terminal emulator built on web technologies. The vulnerability lies in the terminal's linkifier component which automatically detects and converts URIs in terminal output to clickable hyperlinks. The root cause is improper neutralization of special elements (CWE-184) - the linkifier fails to validate or sanitize protocol schemes before passing URIs to the operating system's protocol handler, allowing dangerous schemes beyond standard http/https.
RemediationAI
Vendor-released patch: upgrade to Tabby version 1.0.232 or later which implements proper protocol validation. For users unable to immediately upgrade, avoid connecting to untrusted SSH or Telnet servers and exercise caution before clicking any links that appear in terminal output. Consider disabling automatic link detection in Tabby settings if the feature exists, though this trades off convenience for security.
Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute a
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containi
Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30569