CVE-2026-45038 Eugeny CVE debrief

Who should care

Organizations and users running Tabby on desktops, especially where drag-and-drop of files into the terminal is part of normal workflow. Security teams should also care because the flaw can lead to code execution from a user interaction path.

Technical summary

NVD maps the vulnerable product as tabby:tabby with affected versions ending before 1.0.233. The advisory describes a failure to escape control characters embedded in file paths during drag-and-drop handling. NVD lists CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences), and the linked vendor advisory indicates the issue can be used to achieve code execution. The provided data does not indicate KEV listing or known ransomware use.

Defensive priority

High. The vulnerability can be triggered through a common GUI interaction and may lead to code execution, so upgrading should be prioritized ahead of routine maintenance changes.

Recommended defensive actions

• Upgrade Tabby to version 1.0.233 or later as soon as practical.
• Inventory Tabby deployments and confirm the installed version is not below 1.0.233.
• Temporarily discourage drag-and-drop of untrusted files into Tabby until patched.
• Review local security guidance for terminal emulator use and user awareness around untrusted file interactions.
• Track the linked vendor advisory and NVD record for any follow-up clarifications or remediation notes.

Evidence notes

Source data shows CVE publication at 2026-05-15T17:16:48.760Z and modification at 2026-05-20T17:16:24.593Z. NVD lists the vulnerable CPE as cpe:2.3:a:tabby:tabby:* with versionEndExcluding 1.0.233. The only supplied reference is the GitHub security advisory GHSA-m937-jm93-pfp6, tagged as Exploit and Vendor Advisory. Provided enrichment marks this CVE as not in CISA KEV and does not identify ransomware use.

Official resources