HIGHCVE-2026-45037Published 2026-05-15Modified 2026-05-15CNA GitHub_M

CVE-2026-45037: Tabby: Unsafe protocol handler execution via terminal linkifier allows arbitrary OS protocol invocation

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Eugeny / tabby
< 1.0.232

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9

Metrics