Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.
AnalysisAI
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containing control characters in their paths. The terminal fails to properly escape control sequences, allowing attackers to execute arbitrary commands through crafted filenames when a user drags a malicious file into the terminal window.
Technical ContextAI
Tabby (formerly known as Terminus) is a cross-platform terminal emulator built with web technologies. The vulnerability stems from improper neutralization of control characters (CWE-150) in file paths during drag-and-drop operations. When a file is dropped into the terminal, its path is inserted without proper sanitization, allowing embedded terminal control sequences to be interpreted and executed by the underlying shell.
RemediationAI
Vendor-released patch: upgrade to Tabby version 1.0.233 or later which properly escapes control characters in file paths. The fix is confirmed in the CVE description. As an immediate workaround, avoid dragging and dropping files from untrusted sources into Tabby terminals, especially files with unusual or suspicious names containing special characters. Consider using standard copy-paste operations for file paths instead of drag-and-drop until patching is complete.
Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute a
Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution
Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30572