Remote Code Execution in Tabby Terminal Emulator by Eugeny
CVE-2026-45035

9.4CRITICAL

Key Information:

Vendor: Eugeny
Status: Tabby
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45035?

Prior to version 1.0.233, Tabby terminal emulator registered itself as the handler for the 'tabby://' URL scheme across all platforms. This implementation allows for a significant security lapse, particularly through its support for a run command capable of executing operating system commands without any user confirmation, sanitization, or sandboxing measures. Consequently, an attacker could exploit this vulnerability by creating a malicious URL in the format 'tabby://run?command=...', disseminating it via various communication channels such as web pages, emails, or chat messages. Upon clicking such a link, Tabby launches and executes the specified command as a child process with full user privileges, facilitating zero-click exploitation once the link is accessed. This issue has been rectified in version 1.0.233.

Affected Version(s)

tabby < 1.0.233

References

https://github.com/Eugeny/tabby/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45035 Data

JSON