PatchSiren cyber security CVE debrief

CVE-2026-45035 Eugeny CVE debrief

Tabby (formerly Terminus) terminal emulator versions prior to 1.0.233 register a custom URL scheme handler (tabby://) that accepts a run command parameter. When a user clicks a crafted link containing tabby://run?command=..., the operating system launches Tabby, which immediately executes the specified OS command as a child process with the user's full privileges without confirmation, sanitization, or sandboxing. This creates a zero-click-after-link-visit remote code execution condition exploitable through any medium that renders hyperlinks, including websites, email, and chat messages. The vulnerability is classified as CWE-78 (OS Command Injection) and carries a CRITICAL severity rating with CVSS 9.4. The issue was published in the NVD on 2026-05-15 and last modified on 2026-05-19. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor: Eugeny
Product: tabby
CVSS: CRITICAL 9.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-15
Original CVE updated: 2026-05-19
Advisory published: 2026-05-15
Advisory updated: 2026-05-19

Who should care

Organizations and individuals using Tabby terminal emulator on any platform; security teams responsible for endpoint protection and application control; developers distributing applications with custom URL scheme handlers.

Technical summary

The tabby:// URL scheme handler in Tabby terminal emulator prior to 1.0.233 passes user-supplied command parameters directly to the operating system shell without validation, enabling unauthenticated remote code execution when victims click maliciously crafted links.

Defensive priority

critical

Recommended defensive actions

Upgrade Tabby to version 1.0.233 or later to eliminate the vulnerable URL scheme handler behavior.
If immediate patching is not feasible, unregister the tabby:// URL scheme handler at the operating system level to prevent automatic link handling.
Deploy application control policies or endpoint protection rules to block execution of Tabby spawned from URL scheme invocations.
Educate users on the risks of clicking unfamiliar links, particularly those with non-standard URL schemes.
Monitor for suspicious child process spawning from Tabby processes as an indicator of potential exploitation attempts.

Evidence notes

Vendor advisory confirms the tabby:// URL scheme handler executes commands without user interaction. CPE criteria specifies affected versions as all releases prior to 1.0.233. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impact across confidentiality, integrity, and availability dimensions.

Official resources

CVE-2026-45035 CVE record
CVE.org
CVE-2026-45035 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory

2026-05-15