VYPR

Tabby

by Eugeny

Source repositories

CVEs (7)

  • CVE-2026-45035HigMay 15, 2026
    risk 0.50cvss 8.8epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation,…

  • CVE-2025-22136HigJan 8, 2025
    risk 0.49cvss epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection…

  • CVE-2024-55950HigDec 26, 2024
    risk 0.49cvss epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.216, Tabby terminal emulator contains overly permissive entitlements that are unnecessary for its core functionality and plugin system, creating potential security vulnerabilities. The application…

  • CVE-2026-45038HigMay 15, 2026
    risk 0.44cvss 7.8epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

  • CVE-2026-45037HigMay 15, 2026
    risk 0.39cvss 7.1epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to…

  • CVE-2026-45036HigMay 15, 2026
    risk 0.39cvss 7.0epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays…

  • CVE-2024-48460MedJan 16, 2025
    risk 0.21cvss 4.3epss 0.00

    An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails.