Skip to main content

Tabby EUVDEUVD-2026-30572

| CVE-2026-45038 HIGH
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
2026-05-15 GitHub_M
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 18:02 EUVD
Analysis Generated
May 15, 2026 - 17:31 vuln.today
CVSS changed
May 15, 2026 - 17:22 NVD
8.4 (HIGH)

DescriptionGitHub Advisory

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

AnalysisAI

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containing control characters in their paths. The terminal fails to properly escape control sequences, allowing attackers to execute arbitrary commands through crafted filenames when a user drags a malicious file into the terminal window.

Technical ContextAI

Tabby (formerly known as Terminus) is a cross-platform terminal emulator built with web technologies. The vulnerability stems from improper neutralization of control characters (CWE-150) in file paths during drag-and-drop operations. When a file is dropped into the terminal, its path is inserted without proper sanitization, allowing embedded terminal control sequences to be interpreted and executed by the underlying shell.

RemediationAI

Vendor-released patch: upgrade to Tabby version 1.0.233 or later which properly escapes control characters in file paths. The fix is confirmed in the CVE description. As an immediate workaround, avoid dragging and dropping files from untrusted sources into Tabby terminals, especially files with unusual or suspicious names containing special characters. Consider using standard copy-paste operations for file paths instead of drag-and-drop until patching is complete.

Share

EUVD-2026-30572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy