CVEFinder.io

CVE-2026-45036

⚠️ high
🔍 Scan for this CVE
Summary

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. The ZModemMiddleware in tabby-terminal consumes all session output through a Zmodem.Sentry, and when a ZMODEM ZRQINIT header is detected, unconditionally calls detection.confirm() and writes a fixed ZRI

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. The ZModemMiddleware in tabby-terminal consumes all session output through a Zmodem.Sentry, and when a ZMODEM ZRQINIT header is detected, unconditionally calls detection.confirm() and writes a fixed ZRINIT response ( **\x18B0100000023be50\r\n\x11) back into the active PTY as input. When the process that triggered the detection (e.g., cat) exits, the injected bytes are consumed by the user's shell as a command line. Under fish (default configuration), the ** prefix triggers recursive glob expansion against the current directory, allowing an attacker-placed executable at a matching nested path (e.g., d/xB0100000023be50) to be executed by relative pathname without relying on PATH. Under bash and zsh, a secondary xterm.js terminal color-query feedback (OSC 10) can be combined in the same file to inject a slash-containing command word that similarly bypasses PATH resolution. An attacker can exploit this by providing a crafted file (e.g., in a cloned Git repository) that a user displays with cat, achieving code execution with no interaction beyond viewing the file. This vulnerability is fixed in 1.0.233.

CVSS Score
7.0
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-15
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 51.9% of all 329,778 vulnerabilities in our database.

#158,758
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-05-20
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-78

📦 Affected Products 1

Vendor Product Status Affected Versions
tabby tabby Affected
< 1.0.233

🔗 References 1

https://github.com/Eugeny/tabby/security/advisories/...
Mitigation Vendor Advisory

🔗 Related CVEs 3

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-45035 ⚠️ high 8.8 0.0 Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the ha... 2026-05-15
CVE-2026-45037 ⚠️ high 7.1 0.1 Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passe... 2026-05-15
CVE-2026-45038 ⚠️ high 7.8 0.0 Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape cont... 2026-05-15
These CVEs affect the same products