Tabby Terminal Vulnerability CVE-2026-45037 Allows OS Protocol Handler Hijack

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-184cwe-601
Tabby Terminal Vulnerability CVE-2026-45037 Allows OS Protocol Handler Hijack

A critical vulnerability, CVE-2026-45037, has been identified in Tabby (formerly Terminus), a popular terminal emulator. The National Vulnerability Database reports that prior to version 1.0.232, Tabby’s terminal linkifier failed to validate protocol schemes in detected URIs, passing them directly to the operating system’s protocol handler.

This flaw enables a malicious SSH or Telnet server to inject crafted terminal output. This output can contain dangerous protocol URIs that Tabby then renders as clickable links. When a user clicks these links, arbitrary OS protocol handlers are triggered on their machine, potentially leading to code execution or other system compromise. The National Vulnerability Database assigns this a CVSS score of 7.1 (HIGH), highlighting the significant risk.

For defenders, this is a clear reminder that even seemingly innocuous features like link parsing can become potent attack vectors. Attackers are constantly finding new ways to weaponize user interaction, especially within tools that have privileged access or handle untrusted input. Updating to Tabby version 1.0.232 or later is the immediate fix.

What This Means For You

  • If your organization uses Tabby as a terminal emulator, you must immediately patch to version 1.0.232 or higher. This vulnerability allows an attacker to execute arbitrary commands on your system by simply presenting a malicious SSH or Telnet server. Do not delay — this isn't theoretical; it's a direct path to compromise.

Related ATT&CK Techniques

T1204.002 Malicious File Initial Access T1566.002 Phishing: Spearphishing Attachment Initial Access T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1204.002 Initial Access

CVE-2026-45037 - Tabby Terminal OS Protocol Handler Hijack via Malicious URI

Sigma YAML — free preview 
title: CVE-2026-45037 - Tabby Terminal OS Protocol Handler Hijack via Malicious URI
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects the execution of Tabby terminal emulator with a command line argument containing a 'tabby://' URI, which is indicative of an attempt to exploit CVE-2026-45037. This vulnerability allows a malicious server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45037/
tags:
  - attack.initial_access
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - 'C:\Program Files\Tabby\Tabby.exe'
      CommandLine|contains:
          - 'tabby://'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45037 RCE Tabby (formerly Terminus) terminal emulator
CVE-2026-45037 RCE Tabby versions prior to 1.0.232
CVE-2026-45037 RCE Vulnerable component: terminal linkifier
CVE-2026-45037 RCE Attack vector: crafted terminal output from malicious SSH or Telnet server containing dangerous protocol URIs

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

coreMQTT CVE-2026-8686: DoS via Crafted MQTT v5.0 Packet

CVE-2026-8686 — Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-125
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 1 Sigma

Vvveb CMS Vulnerability (CVE-2026-46408) Allows Cart Hijacking

CVE-2026-46408 — Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 3 IOCs /⚙ 2 Sigma

Vvveb CMS API Token Disclosure (CVE-2026-46407) High Severity

CVE-2026-46407 — Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma