CVE-2026-45037

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9	Mitigation Vendor Advisory Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:tabby:tabby:*:*:*:*:*:*:*:*

History

19 May 2026, 19:27

Type	Values Removed	Values Added
First Time		Tabby tabby Tabby
CPE		cpe:2.3:a:tabby:tabby::::::::
References	~~() https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9 -~~	() https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9 - Mitigation, Vendor Advisory, Patch

15 May 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-15 17:16

Updated : 2026-05-19 19:27

NVD link : CVE-2026-45037

Mitre link : CVE-2026-45037

CVE.ORG link : CVE-2026-45037

JSON object : View

Products Affected

tabby

tabby

CWE

CWE-184

Incomplete List of Disallowed Inputs

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2026-45037", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.8}]}, "published": "2026-05-15T17:16:48.623", "references": [{"url": "https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9", "tags": ["Mitigation", "Vendor Advisory", "Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232."}], "lastModified": "2026-05-19T19:27:58.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tabby:tabby:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E01F60F-44F5-4C19-9960-8349CEA0E1E5", "versionEndExcluding": "1.0.232"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}