Tabby
by Eugeny
Source repositories
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45035 | Hig | 0.50 | 8.8 | 0.00 | May 15, 2026 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation,… | ||
| CVE-2025-22136 | Hig | 0.49 | — | 0.00 | Jan 8, 2025 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection… | ||
| CVE-2024-55950 | Hig | 0.49 | — | 0.00 | Dec 26, 2024 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.216, Tabby terminal emulator contains overly permissive entitlements that are unnecessary for its core functionality and plugin system, creating potential security vulnerabilities. The application… | ||
| CVE-2026-45038 | Hig | 0.44 | 7.8 | 0.00 | May 15, 2026 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233. | ||
| CVE-2026-45037 | Hig | 0.39 | 7.1 | 0.00 | May 15, 2026 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to… | ||
| CVE-2026-45036 | Hig | 0.39 | 7.0 | 0.00 | May 15, 2026 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays… | ||
| CVE-2024-48460 | Med | 0.21 | 4.3 | 0.00 | Jan 16, 2025 | An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails. |
- risk 0.50cvss 8.8epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation,…
- risk 0.49cvss —epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection…
- risk 0.49cvss —epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.216, Tabby terminal emulator contains overly permissive entitlements that are unnecessary for its core functionality and plugin system, creating potential security vulnerabilities. The application…
- risk 0.44cvss 7.8epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.
- risk 0.39cvss 7.1epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to…
- risk 0.39cvss 7.0epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays…
- risk 0.21cvss 4.3epss 0.00
An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails.