Vulnerability in Tabby Terminal Emulator Enables Command Execution via ZMODEM Protocol
CVE-2026-45036

7HIGH

Key Information:

Vendor: Eugeny
Status: Tabby
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45036?

Tabby, previously known as Terminus, is a versatile terminal emulator that contains a vulnerability in versions prior to 1.0.233. The ZModemMiddleware in Tabby automatically confirms ZMODEM protocol detections without user input. This flaw enables attackers to inject malicious commands through terminal session output. Specifically, when a user displays content controlled by an attacker, it triggers an automatic response that can lead to the execution of arbitrary commands. For instance, in environments using the fish shell, crafted filenames can exploit recursive glob expansion, while in bash and zsh, command injection can occur through file content. As a result, an attacker could compromise a system simply by enticing a user to view a maliciously crafted file in their terminal. The issue has been addressed in version 1.0.233.

Affected Version(s)

tabby < 1.0.233

References

https://github.com/Eugeny/tabby/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45036 Data

JSON