CVE-2026-45035: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Eugeny tabby
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
AI Analysis
Technical Summary
Tabby (formerly Terminus) versions before 1.0.233 register themselves as handlers for the tabby:// URL scheme on all platforms. This URL scheme includes a run command that directly executes OS commands without any input validation or user interaction. An attacker can exploit this by sending a crafted tabby://run?command=... URL, which when clicked by a user, causes Tabby to spawn the specified OS command as a child process with full user privileges. This leads to a zero-click-after-link-visit remote code execution vulnerability. The issue is tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability is resolved in Tabby version 1.0.233.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the victim's machine with the same privileges as the user running Tabby. This can lead to full system compromise depending on the user's permissions. The vulnerability requires the victim to click a maliciously crafted tabby:// URL, which triggers immediate command execution without further user confirmation or sanitization.
Mitigation Recommendations
This vulnerability is fixed in Tabby version 1.0.233. Users and administrators should upgrade to version 1.0.233 or later to remediate this issue. No other mitigation or temporary workaround is indicated in the available data.
CVE-2026-45035: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Eugeny tabby
Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
CVSS v4.0
Score 9.4critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tabby (formerly Terminus) versions before 1.0.233 register themselves as handlers for the tabby:// URL scheme on all platforms. This URL scheme includes a run command that directly executes OS commands without any input validation or user interaction. An attacker can exploit this by sending a crafted tabby://run?command=... URL, which when clicked by a user, causes Tabby to spawn the specified OS command as a child process with full user privileges. This leads to a zero-click-after-link-visit remote code execution vulnerability. The issue is tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability is resolved in Tabby version 1.0.233.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the victim's machine with the same privileges as the user running Tabby. This can lead to full system compromise depending on the user's permissions. The vulnerability requires the victim to click a maliciously crafted tabby:// URL, which triggers immediate command execution without further user confirmation or sanitization.
Mitigation Recommendations
This vulnerability is fixed in Tabby version 1.0.233. Users and administrators should upgrade to version 1.0.233 or later to remediate this issue. No other mitigation or temporary workaround is indicated in the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:58:28.897Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a075665ec166c07b0723475
Added to database: 5/15/2026, 5:22:45 PM
Last enriched: 5/23/2026, 6:20:35 AM
Last updated: 6/18/2026, 12:10:43 AM
Views: 149
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.