CVE-2026-46709
HIGH
NVD
CVSS Score
7.8
Severity
HIGH
Published
Jul 15, 2026
Vendor
unknown
Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing command substitution metacharacters such as $(โฆ) and `โฆ`, so the incomplete CVE-2026-45038 fix for control characters still allows code execution when the victim presses Enter. This issue is fixed in version 1.0.234.