CVE-2026-45038

7.8 HIGH

Tabby (formerly Terminus) is a highly configurable terminal emulator

Published: 2026-05-15 · Last updated: 2026-05-20

Severity and scoring

CVSS: 7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-150

Affected products

Vendor	Product
tabby	tabby

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45038
[Vendor advisory]https://github.com/Eugeny/tabby/security/advisories/GHSA-m937-jm93-pfp6

Related CVEs

Same vendor

CVE-2026-45037 — Tabby (formerly Terminus) is a highly configurable terminal emulator (7.1 HIGH)
CVE-2026-45036 — Tabby (formerly Terminus) is a highly configurable terminal emulator (7.0 HIGH)
CVE-2026-45035 — Tabby (formerly Terminus) is a highly configurable terminal emulator (8.8 HIGH)

Same CWE

CVE-2026-9270 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections (9.1 CRITICAL)
CVE-2026-11362 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags (9.8 CRITICAL)
CVE-2026-47090 — Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl va... (4.6 MEDIUM)
CVE-2026-45803 — `gh` is GitHub’s official command line tool (3.5 LOW)
CVE-2026-6019 — http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context (6.1 MEDIUM)