{"id":"CVE-2026-45035","summary":"Tabby: RCE via `tabby://run` URL Scheme","details":"Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes OS commands with no user confirmation, sanitization, or sandboxing. An attacker can craft a malicious link (tabby://run?command=...) and deliver it via a website, email, chat message, or any other medium. When a victim clicks the link, the OS launches Tabby which immediately spawns the specified command as a child process with the user's full privileges. This is a zero-click-after-link-visit RCE vulnerability. This vulnerability is fixed in 1.0.233.","aliases":["GHSA-hf8h-rjrf-3jg6"],"modified":"2026-07-08T08:13:29.972112643Z","published":"2026-05-15T16:41:11.422Z","database_specific":{"cwe_ids":["CWE-78"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45035.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45035.json"},{"type":"ADVISORY","url":"https://github.com/Eugeny/tabby/security/advisories/GHSA-hf8h-rjrf-3jg6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45035"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eugeny/tabby","events":[{"introduced":"0"},{"fixed":"78a56326aca3ca25285e8da1ec8b02c14f8dfacd"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:tabby:tabby:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.0.233"}]}}],"versions":["v1.0.232","v1.0.231","v1.0.230","v1.0.229","v1.0.228","v1.0.227","v1.0.226","v1.0.225","v1.0.224","v1.0.223","v1.0.222","v1.0.221","v1.0.220","v1.0.219","v1.0.218","v1.0.217","v1.0.216","v1.0.215","v1.0.214","v1.0.213","v1.0.212","v1.0.211","v1.0.210","v1.0.209","v1.0.208","v1.0.207","v1.0.206","v1.0.205","v1.0.204","v1.0.202","v1.0.201","v1.0.200","v1.0.199","v1.0.198","v1.0.197","v1.0.196","v1.0.195","v1.0.194","v1.0.193","v1.0.192","v1.0.191","v1.0.190","v1.0.189","v1.0.188","v1.0.187","v1.0.186","v1.0.184","v1.0.183","v1.0.182","v1.0.181","v1.0.180","v1.0.179","v1.0.178","v1.0.177","v1.0.176","v1.0.175","v1.0.174","v1.0.173","v1.0.172","v1.0.171","v1.0.170","v1.0.169","v1.0.168","v1.0.167","v1.0.166","v1.0.165","v1.0.164","v1.0.163","v1.0.162","v1.0.161","v1.0.160","v1.0.159","v1.0.158","v1.0.157","v1.0.156","v1.0.155","v1.0.154","v1.0.152","v1.0.151","v1.0.150","v1.0.149","v1.0.148","v1.0.147","v1.0.146","v1.0.145","v1.0.144","v1.0.143","v1.0.142","v1.0.141","v1.0.140","v1.0.139","v1.0.138","v1.0.137","v1.0.136","v1.0.135","v1.0.134","v1.0.132","v1.0.131","v1.0.130","v1.0.129","v1.0.128","v1.0.127","v1.0.126","v1.0.125","v1.0.124","v1.0.123","v1.0.122","v1.0.121","v1.0.120","v1.0.119","v1.0.117","v1.0.116","v1.0.115","v1.0.114","v1.0.113","v1.0.112","v1.0.111","v1.0.110","v1.0.109","v1.0.108","v1.0.107","v1.0.106","v1.0.105","v1.0.104","v1.0.103","v1.0.102","v1.0.101","v1.0.100","v1.0.99","v1.0.98","v1.0.97","v1.0.96","v1.0.95","v1.0.94","v1.0.93","v1.0.92","v1.0.91","v1.0.90","v1.0.89","v1.0.88","v1.0.87","v1.0.86","v1.0.85","v1.0.84","v1.0.83","v1.0.82","v1.0.80","v1.0.79","v1.0.78-rc.3","v1.0.78-rc.2","v1.0.78","v1.0.78-rc.1","v1.0.73","v1.0.72","v1.0.71","v1.0.70","v1.0.69","v1.0.68","v1.0.67","v1.0.66","v1.0.65","v1.0.1","v1.0.0-alpha.64","v1.0.0-alpha.63","v1.0.0-alpha.61","v1.0.0-alpha.60","v1.0.0-alpha.59","v1.0.0-alpha.58","v1.0.0-alpha.56","v1.0.0-alpha.55","v1.0.0-alpha.54","v1.0.0-alpha.53","v1.0.0-alpha.52","v1.0.0-alpha.51","v1.0.0-alpha.50","v1.0.0-alpha.49","v1.0.0-alpha.48","v1.0.0-alpha.47","v1.0.0-alpha.46","v1.0.0-alpha.45","v1.0.0-alpha.44","v1.0.0-alpha.43","v1.0.0-alpha.42","v1.0.0-alpha.41","v1.0.0-alpha.40","v1.0.0-alpha.39","v1.0.0-alpha.38","v1.0.0-alpha.36","v1.0.0-alpha.35","v1.0.0-alpha.34","v1.0.0-alpha.33","v1.0.0-alpha.32.2","v1.0.0-alpha.32","v1.0.0-alpha.31","v1.0.0-alpha.30","v1.0.0-alpha.29","v1.0.0-alpha.20","v1.0.0-alpha.16","v1.0.0-alpha.15","v1.0.0-alpha.14","v1.0.0-alpha.13","v1.0.0-alpha.12","v1.0.0-alpha.11","v1.0.0-alpha.10","v1.0.0-alpha.8","v1.0.0-alpha.7","v1.0.0-alpha.6","v1.0.0-alpha.5","v1.0.0-alpha.4","v1.0.0-alpha.3","v1.0.0-alpha.2","v1.0.0-alpha.1","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45035.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}