CVE-2026-45035

UNKNOWN 0.0

Tabby: RCE via `tabby://run` URL Scheme

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.

CWE	CWE-78
Vendor	eugeny
Product	tabby
Published	May 15, 2026
Last Updated	May 15, 2026

Stay Ahead of the Next One

Get instant alerts for eugeny tabby

Be the first to know when new unknown vulnerabilities affecting eugeny tabby are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Eugeny / tabby

< 1.0.233

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6