CVE-2026-45035: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Eugeny tabby
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
AI Analysis
Technical Summary
Tabby versions before 1.0.233 register themselves as handlers for the tabby:// URL scheme on all platforms. The handler supports a run command that executes arbitrary OS commands directly, lacking any input validation or user confirmation. This allows an attacker to deliver a crafted URL that, when clicked by a user, causes Tabby to spawn the specified command as a child process with full user privileges. This is a zero-click-after-link-visit remote code execution vulnerability. The issue is tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability has a CVSS 4.0 score of 9.4, indicating critical severity. The vulnerability is fixed in Tabby version 1.0.233.
Potential Impact
Successful exploitation results in remote code execution on the victim's system with the privileges of the logged-in user. This can lead to full compromise of the user's environment, including execution of arbitrary commands without user consent or additional interaction beyond clicking a malicious link. The vulnerability affects all platforms where Tabby is installed and registered as the URL handler for tabby://. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
This vulnerability is fixed in Tabby version 1.0.233. Users and administrators should upgrade to version 1.0.233 or later to remediate this issue. Until the upgrade is applied, users should avoid clicking on untrusted tabby:// links. No other official remediation or temporary workaround is documented. Patch status is confirmed fixed in 1.0.233.
CVE-2026-45035: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Eugeny tabby
Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tabby versions before 1.0.233 register themselves as handlers for the tabby:// URL scheme on all platforms. The handler supports a run command that executes arbitrary OS commands directly, lacking any input validation or user confirmation. This allows an attacker to deliver a crafted URL that, when clicked by a user, causes Tabby to spawn the specified command as a child process with full user privileges. This is a zero-click-after-link-visit remote code execution vulnerability. The issue is tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability has a CVSS 4.0 score of 9.4, indicating critical severity. The vulnerability is fixed in Tabby version 1.0.233.
Potential Impact
Successful exploitation results in remote code execution on the victim's system with the privileges of the logged-in user. This can lead to full compromise of the user's environment, including execution of arbitrary commands without user consent or additional interaction beyond clicking a malicious link. The vulnerability affects all platforms where Tabby is installed and registered as the URL handler for tabby://. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
This vulnerability is fixed in Tabby version 1.0.233. Users and administrators should upgrade to version 1.0.233 or later to remediate this issue. Until the upgrade is applied, users should avoid clicking on untrusted tabby:// links. No other official remediation or temporary workaround is documented. Patch status is confirmed fixed in 1.0.233.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:58:28.897Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a075665ec166c07b0723475
Added to database: 5/15/2026, 5:22:45 PM
Last enriched: 5/15/2026, 5:37:04 PM
Last updated: 5/15/2026, 6:25:57 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.