Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
CVE-2026-45035: Tabby Terminal Emulator Allows Malicious Links to Run Commands
CVE-2026-45035
Summary
Tabby Terminal Emulator has a security flaw that lets hackers run malicious commands on your computer by clicking a specially crafted link. This is a serious issue because it can lead to unauthorized access and control of your system. To stay safe, update Tabby to the latest version (1.0.233 or later) as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| tabby | tabby |
< 1.0.233 cpe:2.3:a:tabby:tabby:*:*:*:*:*:*:*:* |
Original title
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler su...
Original description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.
nvd CVSS4.0
9.4
Vulnerability type
CWE-78
OS Command Injection
Published: 15 May 2026 · Updated: 2 Jun 2026 · First seen: 15 May 2026