VIR Vulnerability Intelligence Relay

CVE-2026-45035

high
Published 2026-05-15 · Modified 2026-05-19
CVSS v3
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
8.8

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6

Application impact
VendorProductVersionsFixed
tabbytabby{"endExcluding":"1.0.233"}1.0.233

References

CWEs

CWE-78

Verify integrity in audit chain (admin only). AS-IS.