CVE-2026-45037— Tabby: Unsafe protocol handler execution via terminal linkifier allows arbitrary OS protocol invocation
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45037
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tabby: Unsafe protocol handler execution via terminal linkifier allows arbitrary OS protocol invocation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
不完整的黑名单
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45037
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45037
请登录查看更多情报信息。
- https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-45037
Same Patch Batch · Eugeny · 2026-05-15 · 4 CVEs total
| CVE-2026-45036 | 7.0 HIGH | Tabby auto-confirms ZMODEM detection on terminal output, leading to shell command executio |
| CVE-2026-45035 | Tabby: RCE via `tabby://run` URL Scheme | |
| CVE-2026-45038 | Tabby: Dragging and Dropping a File into Tabby Can Lead to Code Execution |
IV. Related Vulnerabilities
Same product: tabby
- CVE-2026-45038
Tabby: Dragging and Dropping a File into Tabby Can Lead to C - CVE-2026-45036
Tabby auto-confirms ZMODEM detection on terminal output, lea - CVE-2026-45035
Tabby: RCE via `tabby://run` URL Scheme - CVE-2025-22136
Tabby has a TCC Bypass via Misconfigured Node Fuses - CVE-2024-55950
Tabby has a TCC Bypass via Unnecessary Permissive Entitlemen
Same vendor: Eugeny
- CVE-2026-45038
Tabby: Dragging and Dropping a File into Tabby Can Lead to C - CVE-2026-45036
Tabby auto-confirms ZMODEM detection on terminal output, lea - CVE-2026-45035
Tabby: RCE via `tabby://run` URL Scheme - CVE-2026-42189
Russh: Pre-auth DoS via unbounded allocation in keyboard-int - CVE-2025-54804
Russh is missing an overflow check during channel windows ad
Same weakness: CWE-184
- CVE-2026-42590
Gotenberg: ExifTool group-prefix syntax bypasses dangerous-t - CVE-2026-43929
ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete - CVE-2026-45006
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway To - CVE-2026-44993
OpenClaw < 2026.4.20 - Direct Message Misclassification in F - CVE-2026-44115
OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted He
V. Comments for CVE-2026-45037
No comments yet