CVE-2026-45038

HIGH

Tabby: Dragging and Dropping a File into Tabby Can Lead to Code Execution

Title source: cna
STIX 2.1

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0018
EPSS Percentile 7.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-150
Status published
Products (2)
Eugeny/tabby < 1.0.233
tabby/tabby < 1.0.233
Published May 15, 2026
Tracked Since May 15, 2026