Vulnerability Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tabby | Tabby | < 1.0.233 |
Related Weaknesses (CWE)
References
- https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6ExploitVendor Advisory
- https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6ExploitVendor Advisory
FAQ
What is CVE-2026-45035?
CVE-2026-45035 is a vulnerability with a CVSS score of 8.8 (HIGH). Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler suppo...
How severe is CVE-2026-45035?
CVE-2026-45035 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-45035?
Check the references section above for vendor advisories and patch information. Affected products include: Tabby Tabby.