Custom URL schemes are one of the quietest attack surfaces in modern desktop software. They let a link such as tabby://... hand control to a locally installed application, and they appear everywhere from password managers to video-conferencing clients. CVE-2026-45035, disclosed against the Tabby terminal emulator (formerly Terminus), is a textbook example of how badly that convenience can go wrong. According to the National Vulnerability Database record, versions of Tabby prior to 1.0.233 registered themselves as the handler for the tabby:// URL scheme on every platform, and that handler supported a run command that “directly executes OS commands with no user confirmation, sanitization, or sandboxing.”
The practical consequence is severe. An attacker crafts a link of the form tabby://run?command=... and delivers it through any channel that renders a clickable URL — a website, an email, a chat message, a document. When a victim who has Tabby installed clicks it, the operating system launches Tabby, which immediately spawns the specified command as a child process running with the user’s full privileges. The NVD description characterizes this bluntly as a “zero-click-after-link-visit RCE vulnerability,” meaning that once the link is followed there is no further dialog, prompt, or confirmation to stop the command from running.
The CWE class: OS command injection
NVD classifies the flaw under CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’). That weakness class describes software that constructs an operating-system command from input it does not fully control, then passes that command to a shell or process-spawning API without neutralizing the dangerous elements. The defining mistake is trust: the program treats externally supplied data as if it were a safe, intended instruction. Here the “input” is the entire command parameter of the URL, and the “command” is whatever the attacker wants the victim’s machine to execute.
What makes this instance especially clean — from an attacker’s perspective — is that there is no injection in the traditional sense of breaking out of a quoted string or smuggling a metacharacter past a filter. The run verb was designed to run commands. The vulnerability is that the application exposed that capability to a remotely reachable, attacker-controllable channel (the URL scheme) without any of the gates that should sit in front of arbitrary execution: a confirmation prompt, an allowlist of permitted commands, or sandboxing of the spawned process. A terminal emulator legitimately needs to run shell commands; the defect is letting an untrusted website decide which ones, silently.
Why the scores diverge: 8.8 versus 9.4
The record carries two CVSS assessments, and the gap between them is instructive. NVD’s own CVSS v3.1 score is 8.8 (High), with the vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. Reading that vector: the attack is network-reachable (AV:N, the link can come from anywhere), low complexity (AC:L, no special conditions), and devastating to confidentiality, integrity, and availability (C:H/I:H/A:H) because arbitrary code execution compromises everything in the user’s context. The two factors holding the v3.1 score below 9.0 are the privileges-required and user-interaction metrics. NVD’s v3.1 vector marks PR:L and UI:R — user interaction required, because the victim must click the link.
The vendor advisory, published through GitHub’s security advisory system, instead applies CVSS v4.0 and arrives at 9.4 (Critical), vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The v4.0 framework separates “Vulnerable System” impact (VC/VI/VA) from “Subsequent System” impact (SC/SI/SA) and treats the user interaction here as “Passive” (UI:P) rather than the heavier “Required.” Because code execution on the host can cascade into other systems the user can reach, the subsequent-system impacts are all High, which pushes the v4.0 number up. The honest reading is that both scores describe the same dangerous bug; v4.0’s richer model simply captures the blast radius more aggressively. Defenders should treat this as a critical-severity issue regardless of which number their tooling surfaces.
What is affected, and how to remediate
The affected product is Tabby, a popular cross-platform, highly configurable terminal emulator. The NVD record states the issue exists in all releases prior to 1.0.233 and is fixed in that version. Because the URL-scheme registration happens “on all platforms,” Windows, macOS, and Linux installations are in scope; the specifics of how each OS dispatches a clicked custom-scheme link differ, but the registered handler is the common denominator.
The remediation is direct: upgrade to Tabby 1.0.233 or later. Users who cannot immediately upgrade can reduce exposure by unregistering or disabling the tabby:// protocol handler at the operating-system level, which severs the click-to-execute path even on a vulnerable build. Organizations that deploy developer tooling at scale should audit which machines have Tabby installed — terminal emulators are exactly the kind of tool engineers install individually, outside managed software catalogs — and prioritize the update on developer workstations, which tend to hold credentials, SSH keys, and access to production systems that make a single RCE far more consequential than the base score implies.
The broader lesson for defenders is to treat custom URL schemes as an inbound attack surface, not a UX nicety. Any application that registers a scheme is accepting instructions from arbitrary web content; the moment one of those instructions is “run this command,” the only thing standing between a link and code execution is the gating the developers chose to add. In Tabby’s case, that gating was absent until 1.0.233. The practical takeaway is to inventory which installed applications register protocol handlers, keep them patched, and be skeptical of links that try to launch a local app — the click, not the keyboard, is increasingly where execution begins.