Which versions of Tabby are affected by CVE-2026-45038?

Tabby terminal emulator versions before 1.0.233 contain a local code execution vulnerability triggered by dragging files with malicious names into the terminal, allowing attackers to execute…. A patch is available.

Tabby CVE-2026-45038

Q: What is the CVSS score of CVE-2026-45038?

CVE-2026-45038 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30572 HIGH

Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)

2026-05-15 GitHub_M

RCE

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

May 15, 2026 - 18:02 EUVD

Analysis Generated

May 15, 2026 - 17:31 vuln.today

CVSS changed

May 15, 2026 - 17:22 NVD

8.4 (HIGH)

DescriptionNVD

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

AnalysisAI

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containing control characters in their paths. The terminal fails to properly escape control sequences, allowing attackers to execute arbitrary commands through crafted filenames when a user drags a malicious file into the terminal window.

RemediationAI

Within 24 hours: Identify all systems running Tabby terminal emulator and document current versions via endpoint management tools. Within 7 days: Advise users to upgrade to Tabby version 1.0.233 or later, and restrict file drag-and-drop operations into terminal windows via user training pending patches. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45038 vulnerability details – vuln.today

Back

Tabby CVE-2026-45038

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Tabby CVE-2026-45038

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code