Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.
Published: 2026-05-15
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tabby, a configurable terminal emulator, fails to escape control characters in file paths when a user drags and drops a file into the terminal. This flaw allows an attacker to inject arbitrary commands that are then executed by Tabby’s shell, leading to unauthorized code execution. The weakness is a classic example of improper processing of user-controlled input, represented by CWE-150.

Affected Systems

All users running Tabby versions prior to 1.0.233 are affected. The vendor Eugeny’s current version 1.0.233 and later includes the fix. Earlier releases that have not been patched remain vulnerable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. EPSS is not available, suggesting the exploit probability cannot be quantified but the flaw is known to be exploitable. The vulnerability is not listed in CISA KEV, implying there is no publicly confirmed exploitation yet. The likely attack vector is local: a user who can place a file into the session can trigger execution. Remote exploitation would require a compromised user or privileged access.

Generated by OpenCVE AI on May 15, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tabby to version 1.0.233 or later
  • Temporarily disable drag‑and‑drop functionality until the update is installed
  • Monitor user sessions for abnormal file drop behaviors or unauthorized command execution

Generated by OpenCVE AI on May 15, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.
Title Tabby: Dragging and Dropping a File into Tabby Can Lead to Code Execution
Weaknesses CWE-150
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:04:54.549Z

Reserved: 2026-05-08T18:07:27.341Z

Link: CVE-2026-45038

cve-icon Vulnrichment

Updated: 2026-05-15T18:00:16.976Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:48.760

Modified: 2026-05-15T19:17:01.630

Link: CVE-2026-45038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T19:00:07Z

Weaknesses