CVE-2026-45036: Tabby Terminal ZMODEM Flaw Enables Code Execution

/HIGH /CVSS 7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-78
CVE-2026-45036: Tabby Terminal ZMODEM Flaw Enables Code Execution

The National Vulnerability Database has detailed CVE-2026-45036, a critical vulnerability in Tabby (formerly Terminus) terminal emulator versions prior to 1.0.233. This flaw allows for remote code execution when a user displays attacker-controlled content. The core issue lies in Tabby’s ZModemMiddleware, which automatically confirms ZMODEM protocol detection on all terminal session output without user interaction. When a ZRQINIT header is detected, Tabby unconditionally injects a ZRINIT response back into the active PTY.

Upon the exiting of the process that triggered the detection (e.g., cat), these injected bytes are consumed by the user’s shell as a command. For users of the fish shell, the ** prefix in the injected response can trigger recursive glob expansion, leading to the execution of an attacker-placed executable. In bash and zsh, a crafted xterm.js terminal color-query feedback can similarly inject a command containing a slash, bypassing PATH resolution. An attacker can exploit this by distributing a specially crafted file, such as within a cloned Git repository, which a user might view, leading to code execution with minimal interaction.

This vulnerability, rated with a CVSS score of 7 (HIGH), highlights a dangerous blind trust in protocol detection within terminal emulators. Defenders should recognize that seemingly innocuous actions like viewing a file can now become attack vectors. The National Vulnerability Database confirms that this issue is resolved in Tabby version 1.0.233.

What This Means For You

  • If your organization uses Tabby terminal, you must immediately patch to version 1.0.233 or later to mitigate CVE-2026-45036. This isn't just about untrusted binaries; it's about attacker-controlled *content* viewed in a terminal leading to shell execution. Audit your development environments and ensure all Tabby instances are updated. This attack vector exploits user trust in their own display mechanisms.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1059.004 Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1059.004 Execution

CVE-2026-45036: Tabby Terminal ZMODEM Unconfirmed Protocol Detection

Sigma YAML — free preview 
title: CVE-2026-45036: Tabby Terminal ZMODEM Unconfirmed Protocol Detection
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects the specific ZMODEM ZRQINIT header response '\x18B0100000023be50' being written to the PTY by Tabby terminal, indicating exploitation of CVE-2026-45036. This bypasses user interaction and can lead to command execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45036/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'tabby'
      CommandLine|contains:
          - '\x18B0100000023be50'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45036 RCE Tabby terminal emulator versions prior to 1.0.233
CVE-2026-45036 Code Injection ZModemMiddleware in tabby-terminal processing ZMODEM ZRQINIT header
CVE-2026-45036 Command Injection Injected bytes: \x18B0100000023be50\r\n\x11
CVE-2026-45036 Misconfiguration fish shell default configuration with recursive glob expansion (** prefix)
CVE-2026-45036 Command Injection bash and zsh combined with xterm.js terminal color-query feedback (OSC 10)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

coreMQTT CVE-2026-8686: DoS via Crafted MQTT v5.0 Packet

CVE-2026-8686 — Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-125
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 1 Sigma

Vvveb CMS Vulnerability (CVE-2026-46408) Allows Cart Hijacking

CVE-2026-46408 — Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 3 IOCs /⚙ 2 Sigma

Vvveb CMS API Token Disclosure (CVE-2026-46407) High Severity

CVE-2026-46407 — Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma