{"id":"CVE-2026-46709","summary":"Tabby: Drag-and-drop path injection still allows RCE via shell command substitution (incomplete fix for CVE-2026-45038)","details":"Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing command substitution metacharacters such as $(…) and `…`, so the incomplete CVE-2026-45038 fix for control characters still allows code execution when the victim presses Enter. This issue is fixed in version 1.0.234.","aliases":["GHSA-mq9v-2pgm-fxgh"],"modified":"2026-07-17T03:46:24.152245220Z","published":"2026-07-15T14:59:18.601Z","database_specific":{"cwe_ids":["CWE-77","CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46709.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/Eugeny/tabby/releases/tag/v1.0.234"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46709.json"},{"type":"ADVISORY","url":"https://github.com/Eugeny/tabby/security/advisories/GHSA-mq9v-2pgm-fxgh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46709"},{"type":"FIX","url":"https://github.com/Eugeny/tabby/commit/e151472b951bbd472ddc0545ec8656e4c0f352da"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eugeny/tabby","events":[{"introduced":"0"},{"fixed":"e151472b951bbd472ddc0545ec8656e4c0f352da"},{"fixed":"ecf2a487bcfdbdd43a324dc4b168e522b0d65130"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.0.234"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v1.0.233","v1.0.232","v1.0.231","v1.0.230","v1.0.229","v1.0.228","v1.0.227","v1.0.226","v1.0.225","v1.0.224","v1.0.223","v1.0.222","v1.0.221","v1.0.220","v1.0.219","v1.0.218","v1.0.217","v1.0.216","v1.0.215","v1.0.214","v1.0.213","v1.0.212","v1.0.211","v1.0.210","v1.0.209","v1.0.208","v1.0.207","v1.0.206","v1.0.205","v1.0.204","v1.0.202","v1.0.201","v1.0.200","v1.0.199","v1.0.198","v1.0.197","v1.0.196","v1.0.195","v1.0.194","v1.0.193","v1.0.192","v1.0.191","v1.0.190","v1.0.189","v1.0.188","v1.0.187","v1.0.186","v1.0.184","v1.0.183","v1.0.182","v1.0.181","v1.0.180","v1.0.179","v1.0.178","v1.0.177","v1.0.176","v1.0.175","v1.0.174","v1.0.173","v1.0.172","v1.0.171","v1.0.170","v1.0.169","v1.0.168","v1.0.167","v1.0.166","v1.0.165","v1.0.164","v1.0.163","v1.0.162","v1.0.161","v1.0.160","v1.0.159","v1.0.158","v1.0.157","v1.0.156","v1.0.155","v1.0.154","v1.0.152","v1.0.151","v1.0.150","v1.0.149","v1.0.148","v1.0.147","v1.0.146","v1.0.145","v1.0.144","v1.0.143","v1.0.142","v1.0.141","v1.0.140","v1.0.139","v1.0.138","v1.0.137","v1.0.136","v1.0.135","v1.0.134","v1.0.132","v1.0.131","v1.0.130","v1.0.129","v1.0.128","v1.0.127","v1.0.126","v1.0.125","v1.0.124","v1.0.123","v1.0.122","v1.0.121","v1.0.120","v1.0.119","v1.0.117","v1.0.116","v1.0.115","v1.0.114","v1.0.113","v1.0.112","v1.0.111","v1.0.110","v1.0.109","v1.0.108","v1.0.107","v1.0.106","v1.0.105","v1.0.104","v1.0.103","v1.0.102","v1.0.101","v1.0.100","v1.0.99","v1.0.98","v1.0.97","v1.0.96","v1.0.95","v1.0.94","v1.0.93","v1.0.92","v1.0.91","v1.0.90","v1.0.89","v1.0.88","v1.0.87","v1.0.86","v1.0.85","v1.0.84","v1.0.83","v1.0.82","v1.0.80","v1.0.79","v1.0.78-rc.3","v1.0.78-rc.2","v1.0.78","v1.0.78-rc.1","v1.0.73","v1.0.72","v1.0.71","v1.0.70","v1.0.69","v1.0.68","v1.0.67","v1.0.66","v1.0.65","v1.0.1","v1.0.0-alpha.64","v1.0.0-alpha.63","v1.0.0-alpha.61","v1.0.0-alpha.60","v1.0.0-alpha.59","v1.0.0-alpha.58","v1.0.0-alpha.56","v1.0.0-alpha.55","v1.0.0-alpha.54","v1.0.0-alpha.53","v1.0.0-alpha.52","v1.0.0-alpha.51","v1.0.0-alpha.50","v1.0.0-alpha.49","v1.0.0-alpha.48","v1.0.0-alpha.47","v1.0.0-alpha.46","v1.0.0-alpha.45","v1.0.0-alpha.44","v1.0.0-alpha.43","v1.0.0-alpha.42","v1.0.0-alpha.41","v1.0.0-alpha.40","v1.0.0-alpha.39","v1.0.0-alpha.38","v1.0.0-alpha.36","v1.0.0-alpha.35","v1.0.0-alpha.34","v1.0.0-alpha.33","v1.0.0-alpha.32.2","v1.0.0-alpha.32","v1.0.0-alpha.31","v1.0.0-alpha.30","v1.0.0-alpha.29","v1.0.0-alpha.20","v1.0.0-alpha.16","v1.0.0-alpha.15","v1.0.0-alpha.14","v1.0.0-alpha.13","v1.0.0-alpha.12","v1.0.0-alpha.11","v1.0.0-alpha.10","v1.0.0-alpha.8","v1.0.0-alpha.7","v1.0.0-alpha.6","v1.0.0-alpha.5","v1.0.0-alpha.4","v1.0.0-alpha.3","v1.0.0-alpha.2","v1.0.0-alpha.1","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46709.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}