RCE in Eugeny Tabby

CVE-2025-22136

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fu…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.003 (55.8th percentile) — read the EPSS interpretation.

Affected products

Eugeny Tabby — versions < 1.0.217

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/Eugeny/tabby/security/advisories/GHSA-prcj-7rvc-26h4 (x_refsource_CONFIRM)
https://github.com/Eugeny/tabby/commit/93513541f7161fa8a59491603cabb6a101c0c08e (x_refsource_MISC)