Tabby’s terminal linkifier forwards any detected URI directly to the operating system’s protocol handler without restriction on the protocol scheme. When a terminal session receives malicious output from a compromised SSH or Telnet server, the attacker can embed dangerous protocol URIs that Tabby renders as clickable links, causing the victim’s OS to invoke arbitrary handlers. This allows the execution of arbitrary commands or software via the victim’s local machine, effectively delivering remote code execution. The weakness is characterized by CWE-184 (Plain Text Absolute Path Traversal) and CWE-601 (URL Redirection Through Link Manipulation).

The vulnerability affects versions of Tabby (formerly Terminus) before 1.0.232. Users running any prior release of the Tabby terminal emulator are susceptible. Updates equal to or newer than 1.0.232 contain the fix.

With a CVSS score of 7.1, the vulnerability is considered high severity. The EPSS score is not available, but the lack of a KEV listing suggests no known exploitation campaigns yet. The attack vector requires a malicious SSH or Telnet server to send crafted terminal output; thus anyone operating such a server or compromising one can target any Tabby user who connects to it. If exploited, the victim gains the ability to launch commands under their own user privileges by leveraging the OS’s protocol handlers.