Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
Published: 2026-05-15
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. A crafted link such as tabby://run?command=… causes Tabby to execute the supplied operating‑system command without any confirmation, sanitization or sandboxing, allowing the attacker to run arbitrary code with the victim’s full privileges. This flaw, identified as CWE-78, can compromise confidentiality, integrity, and availability of the system. Based on the description, the likely attack vector is a user merely clicking a malicious link embedded in a website, email, chat message or similar medium.

Affected Systems

This issue affects the Tabby terminal emulator (formerly Terminus) from vendor Eugeny. All versions prior to 1.0.233 are affected, as the vulnerability exists only in releases older than that fixed version.

Risk and Exploitability

The CVSS score of 9.4 indicates a high‑severity vulnerability. The EPSS score is currently unavailable, but the flaw is listed as not in the CISA KEV catalog. An attacker can exploit the vulnerability by delivering a malicious tabby://run link; once the victim activates the link, OS command execution occurs immediately, giving the attacker full control. No user interaction beyond clicking the link is required, making it a zero‑click-after‑link‑visit Remote Code Execution.

Generated by OpenCVE AI on May 15, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by installing Tabby version 1.0.233 or later.
  • If updating is not immediately possible, disable or remove the tabby:// URL scheme handler by uninstalling Tabby or adjusting file associations to prevent the emulator from launching.
  • Verify that no legacy Tabby binaries remain that may re‑register the scheme and block the malicious link execution.

Generated by OpenCVE AI on May 15, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
Title Tabby: RCE via `tabby://run` URL Scheme
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T17:39:40.413Z

Reserved: 2026-05-08T16:58:28.897Z

Link: CVE-2026-45035

cve-icon Vulnrichment

Updated: 2026-05-15T17:38:43.545Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:48.350

Modified: 2026-05-15T18:16:25.857

Link: CVE-2026-45035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:30:05Z

Weaknesses