Skip to main content

Tabby

5 CVEs product

Monthly

CVE-2026-46709 HIGH PATCH This Week

Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution by tricking a victim into dragging and dropping a crafted file whose path contains shell command-substitution metacharacters ($(...) or backticks). Because the drop handler in tabby-electron/src/pathDrop.ts inserted the raw path into the active shell without neutralizing these characters, the payload runs when the victim presses Enter. This is an incomplete-fix follow-up to CVE-2026-45038, which only addressed control characters; no public exploit is identified at time of analysis and it is not listed in CISA KEV.

RCE Command Injection Tabby
NVD GitHub
CVSS 3.1
7.8
CVE-2026-45038 HIGH PATCH This Week

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containing control characters in their paths. The terminal fails to properly escape control sequences, allowing attackers to execute arbitrary commands through crafted filenames when a user drags a malicious file into the terminal window.

RCE Tabby
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-45036 HIGH PATCH This Week

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files containing ZMODEM protocol headers. The vulnerability exploits automatic ZMODEM detection that injects commands into the user's shell when displaying malicious content with common commands like 'cat'. Real-world risk is moderate (EPSS data not provided) as it requires local access and user interaction, but enables code execution without explicit user consent beyond viewing a file.

Command Injection RCE Tabby
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-45035 CRITICAL PATCH Act Now

Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute arbitrary OS commands via malicious tabby:// URL scheme links. When users click a crafted link containing tabby://run?command=..., Tabby spawns the specified command with full user privileges without any confirmation or sanitization. The vulnerability carries a CVSS 9.4 score due to network vector and high impact across all security dimensions.

Command Injection Tabby
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-45037 HIGH PATCH This Week

Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. EPSS data unavailable, not currently in CISA KEV, indicating no confirmed active exploitation at this time.

Information Disclosure Tabby
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVSS 7.8
HIGH PATCH This Week

Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution by tricking a victim into dragging and dropping a crafted file whose path contains shell command-substitution metacharacters ($(...) or backticks). Because the drop handler in tabby-electron/src/pathDrop.ts inserted the raw path into the active shell without neutralizing these characters, the payload runs when the victim presses Enter. This is an incomplete-fix follow-up to CVE-2026-45038, which only addressed control characters; no public exploit is identified at time of analysis and it is not listed in CISA KEV.

RCE Command Injection Tabby
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containing control characters in their paths. The terminal fails to properly escape control sequences, allowing attackers to execute arbitrary commands through crafted filenames when a user drags a malicious file into the terminal window.

RCE Tabby
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when users view attacker-controlled files containing ZMODEM protocol headers. The vulnerability exploits automatic ZMODEM detection that injects commands into the user's shell when displaying malicious content with common commands like 'cat'. Real-world risk is moderate (EPSS data not provided) as it requires local access and user interaction, but enables code execution without explicit user consent beyond viewing a file.

Command Injection RCE Tabby
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute arbitrary OS commands via malicious tabby:// URL scheme links. When users click a crafted link containing tabby://run?command=..., Tabby spawns the specified command with full user privileges without any confirmation or sanitization. The vulnerability carries a CVSS 9.4 score due to network vector and high impact across all security dimensions.

Command Injection Tabby
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. EPSS data unavailable, not currently in CISA KEV, indicating no confirmed active exploitation at this time.

Information Disclosure Tabby
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy