CVE-2026-45037 Eugeny CVE debrief

Who should care

Anyone using Tabby to connect to untrusted, external, or attacker-controlled SSH/Telnet hosts should treat this as a priority issue, especially environments where users regularly click links from terminal output.

Technical summary

The flaw is in Tabby’s linkifier: it detects URIs in terminal output and forwards them to the OS without validating whether the protocol scheme is safe. That creates a user-interaction-driven attack path from remote terminal content to local handler invocation. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, and the cited weakness classes are CWE-184 and CWE-601. The issue is fixed in Tabby 1.0.232.

Defensive priority

High. The vulnerability requires user interaction, but the attack surface is common for terminal users who connect to remote systems and may click detected links in terminal output.

Recommended defensive actions

• Upgrade Tabby to version 1.0.232 or later.
• If immediate upgrading is not possible, reduce or disable clickable-link handling in terminal workflows where the option exists.
• Warn users not to click terminal links from untrusted SSH/Telnet sessions.
• Review which systems and teams use Tabby against externally controlled hosts so remediation can be prioritized.
• Audit any local protocol handlers that could have sensitive side effects if launched from a terminal link.

Evidence notes

The evidence corpus includes the CVE description and an NVD modified-feed entry. The description states that prior to 1.0.232, Tabby’s terminal linkifier passed any detected URI directly to the OS protocol handler without scheme validation, enabling malicious SSH or Telnet servers to present crafted terminal output that Tabby renders as clickable links. The source item’s NVD metadata marks the CVE as Undergoing Analysis and cites a GitHub Security Advisory reference for Tabby.

Official resources