CVE-2026-45038

Exploit

EPSS 0.18%
Veröffentlicht 15.05.2026 16:48:12
Zuletzt bearbeitet 20.05.2026 17:16:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Tabby: Dragging and Dropping a File into Tabby Can Lead to Code Execution

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tabby ≫ Tabby Version < 1.0.233

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.075

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	8.4	0	0	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

https://github.com/Eugeny/tabby/security/advisories/GHSA-m937-jm93-pfp6

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-45038

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45038

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45038

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45038