Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities by termix
CVE-2026-45750 (GCVE-0-2026-45750)
Vulnerability from nvd – Published: 2026-06-05 18:06 – Updated: 2026-06-10 03:58
VLAI
Title
Termix Vulnerable to Arbitrary Command Execution in File Manager
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.
Severity
9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45750",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:36.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:06:04.693Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-v26q-rpv5-9m72",
"discovery": "UNKNOWN"
},
"title": "Termix Vulnerable to Arbitrary Command Execution in File Manager"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45750",
"datePublished": "2026-06-05T18:06:04.693Z",
"dateReserved": "2026-05-13T06:54:34.221Z",
"dateUpdated": "2026-06-10T03:58:36.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45749 (GCVE-0-2026-45749)
Vulnerability from nvd – Published: 2026-06-05 18:05 – Updated: 2026-06-10 03:58
VLAI
Title
Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-308 - Use of Single-factor Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45749",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:39.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user\u0027s password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-308",
"description": "CWE-308: Use of Single-factor Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:05:11.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-wqfw-rqj7-fv9m",
"discovery": "UNKNOWN"
},
"title": "Termix\u0027s TOTP two-factor authentication can be disabled or bypassed using only the account password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45749",
"datePublished": "2026-06-05T18:05:11.443Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:39.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45748 (GCVE-0-2026-45748)
Vulnerability from nvd – Published: 2026-06-05 18:00 – Updated: 2026-06-10 03:58
VLAI
Title
Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45748",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:40.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:00:26.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-xmjh-8cc2-qm49",
"discovery": "UNKNOWN"
},
"title": "Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45748",
"datePublished": "2026-06-05T18:00:26.211Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:40.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45746 (GCVE-0-2026-45746)
Vulnerability from nvd – Published: 2026-06-05 17:59 – Updated: 2026-06-10 03:58
VLAI
Title
Termix Vulnerable to Arbitrary Command Execution via Session Hijacking
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.
Severity
9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:43.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user\u0027s remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user\u0027s VPS (RCE). Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:59:23.593Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8"
}
],
"source": {
"advisory": "GHSA-cx2r-843c-vww8",
"discovery": "UNKNOWN"
},
"title": "Termix Vulnerable to Arbitrary Command Execution via Session Hijacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45746",
"datePublished": "2026-06-05T17:59:23.593Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:43.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45745 (GCVE-0-2026-45745)
Vulnerability from nvd – Published: 2026-06-05 17:53 – Updated: 2026-06-10 03:58
VLAI
Title
Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
>= 1.7.0, <= 2.2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:46.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c= 2.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:53:54.278Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7"
}
],
"source": {
"advisory": "GHSA-r9gw-3w87-mhh7",
"discovery": "UNKNOWN"
},
"title": "Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45745",
"datePublished": "2026-06-05T17:53:54.278Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:46.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45744 (GCVE-0-2026-45744)
Vulnerability from nvd – Published: 2026-06-05 17:58 – Updated: 2026-06-10 03:58
VLAI
Title
Termix has an OS Command Injection in File Manager resolvePath endpoint
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue.
Severity
9.9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45744",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:44.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:58:05.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-37f4-wq95-pg33",
"discovery": "UNKNOWN"
},
"title": "Termix has an OS Command Injection in File Manager resolvePath endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45744",
"datePublished": "2026-06-05T17:58:05.338Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:44.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45743 (GCVE-0-2026-45743)
Vulnerability from nvd – Published: 2026-06-05 17:56 – Updated: 2026-06-10 03:58
VLAI
Title
Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user's active `sessionId` can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:45.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-5fqh-77cr-jj5x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user\u0027s active `sessionId` can read, write, delete, download, and execute files on the victim\u0027s connected SSH host. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:56:53.201Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-5fqh-77cr-jj5x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-5fqh-77cr-jj5x"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-5fqh-77cr-jj5x",
"discovery": "UNKNOWN"
},
"title": "Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45743",
"datePublished": "2026-06-05T17:56:53.201Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:45.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22804 (GCVE-0-2026-22804)
Vulnerability from nvd – Published: 2026-01-12 22:14 – Updated: 2026-01-13 19:07
VLAI
Title
Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
>= 1.7.0, < 1.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22804",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T14:13:52.820529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T19:07:57.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T22:14:03.762Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"
}
],
"source": {
"advisory": "GHSA-m3cv-5hgp-hv35",
"discovery": "UNKNOWN"
},
"title": "Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22804",
"datePublished": "2026-01-12T22:14:03.762Z",
"dateReserved": "2026-01-09T22:50:10.287Z",
"dateUpdated": "2026-01-13T19:07:57.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59951 (GCVE-0-2025-59951)
Vulnerability from nvd – Published: 2025-10-01 21:52 – Updated: 2025-10-06 18:33
VLAI
Title
Termix' official Docker image contains an authentication bypass vulnerability
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy's IP instead of the client's IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system's stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LukeGus/Termix/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LukeGus/Termix/pull/221 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59951",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:33:33.661457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:33:37.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "LukeGus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy\u0027s IP instead of the client\u0027s IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system\u0027s stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:52:01.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94"
},
{
"name": "https://github.com/LukeGus/Termix/pull/221",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LukeGus/Termix/pull/221"
}
],
"source": {
"advisory": "GHSA-92cw-877q-6r94",
"discovery": "UNKNOWN"
},
"title": "Termix\u0027 official Docker image contains an authentication bypass vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59951",
"datePublished": "2025-10-01T21:52:01.232Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-10-06T18:33:37.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-45750 (GCVE-0-2026-45750)
Vulnerability from cvelistv5 – Published: 2026-06-05 18:06 – Updated: 2026-06-10 03:58
VLAI
Title
Termix Vulnerable to Arbitrary Command Execution in File Manager
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.
Severity
9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45750",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:36.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:06:04.693Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-v26q-rpv5-9m72",
"discovery": "UNKNOWN"
},
"title": "Termix Vulnerable to Arbitrary Command Execution in File Manager"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45750",
"datePublished": "2026-06-05T18:06:04.693Z",
"dateReserved": "2026-05-13T06:54:34.221Z",
"dateUpdated": "2026-06-10T03:58:36.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45749 (GCVE-0-2026-45749)
Vulnerability from cvelistv5 – Published: 2026-06-05 18:05 – Updated: 2026-06-10 03:58
VLAI
Title
Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-308 - Use of Single-factor Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45749",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:39.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user\u0027s password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-308",
"description": "CWE-308: Use of Single-factor Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:05:11.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-wqfw-rqj7-fv9m"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-wqfw-rqj7-fv9m",
"discovery": "UNKNOWN"
},
"title": "Termix\u0027s TOTP two-factor authentication can be disabled or bypassed using only the account password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45749",
"datePublished": "2026-06-05T18:05:11.443Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:39.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45748 (GCVE-0-2026-45748)
Vulnerability from cvelistv5 – Published: 2026-06-05 18:00 – Updated: 2026-06-10 03:58
VLAI
Title
Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45748",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:40.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:00:26.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-xmjh-8cc2-qm49",
"discovery": "UNKNOWN"
},
"title": "Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45748",
"datePublished": "2026-06-05T18:00:26.211Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:40.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45746 (GCVE-0-2026-45746)
Vulnerability from cvelistv5 – Published: 2026-06-05 17:59 – Updated: 2026-06-10 03:58
VLAI
Title
Termix Vulnerable to Arbitrary Command Execution via Session Hijacking
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.
Severity
9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:43.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user\u0027s remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user\u0027s VPS (RCE). Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:59:23.593Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8"
}
],
"source": {
"advisory": "GHSA-cx2r-843c-vww8",
"discovery": "UNKNOWN"
},
"title": "Termix Vulnerable to Arbitrary Command Execution via Session Hijacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45746",
"datePublished": "2026-06-05T17:59:23.593Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:43.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45744 (GCVE-0-2026-45744)
Vulnerability from cvelistv5 – Published: 2026-06-05 17:58 – Updated: 2026-06-10 03:58
VLAI
Title
Termix has an OS Command Injection in File Manager resolvePath endpoint
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue.
Severity
9.9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45744",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:44.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:58:05.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-37f4-wq95-pg33",
"discovery": "UNKNOWN"
},
"title": "Termix has an OS Command Injection in File Manager resolvePath endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45744",
"datePublished": "2026-06-05T17:58:05.338Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:44.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45743 (GCVE-0-2026-45743)
Vulnerability from cvelistv5 – Published: 2026-06-05 17:56 – Updated: 2026-06-10 03:58
VLAI
Title
Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user's active `sessionId` can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
| https://github.com/Termix-SSH/Termix/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
< 2.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:45.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-5fqh-77cr-jj5x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user\u0027s active `sessionId` can read, write, delete, download, and execute files on the victim\u0027s connected SSH host. Version 2.3.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:56:53.201Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-5fqh-77cr-jj5x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-5fqh-77cr-jj5x"
},
{
"name": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag"
}
],
"source": {
"advisory": "GHSA-5fqh-77cr-jj5x",
"discovery": "UNKNOWN"
},
"title": "Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45743",
"datePublished": "2026-06-05T17:56:53.201Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:45.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45745 (GCVE-0-2026-45745)
Vulnerability from cvelistv5 – Published: 2026-06-05 17:53 – Updated: 2026-06-10 03:58
VLAI
Title
Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
>= 1.7.0, <= 2.2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:46.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c= 2.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T17:53:54.278Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7"
}
],
"source": {
"advisory": "GHSA-r9gw-3w87-mhh7",
"discovery": "UNKNOWN"
},
"title": "Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45745",
"datePublished": "2026-06-05T17:53:54.278Z",
"dateReserved": "2026-05-13T06:54:34.220Z",
"dateUpdated": "2026-06-10T03:58:46.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22804 (GCVE-0-2026-22804)
Vulnerability from cvelistv5 – Published: 2026-01-12 22:14 – Updated: 2026-01-13 19:07
VLAI
Title
Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Termix-SSH/Termix/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Termix-SSH | Termix |
Affected:
>= 1.7.0, < 1.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22804",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T14:13:52.820529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T19:07:57.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "Termix-SSH",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T22:14:03.762Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"
}
],
"source": {
"advisory": "GHSA-m3cv-5hgp-hv35",
"discovery": "UNKNOWN"
},
"title": "Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22804",
"datePublished": "2026-01-12T22:14:03.762Z",
"dateReserved": "2026-01-09T22:50:10.287Z",
"dateUpdated": "2026-01-13T19:07:57.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59951 (GCVE-0-2025-59951)
Vulnerability from cvelistv5 – Published: 2025-10-01 21:52 – Updated: 2025-10-06 18:33
VLAI
Title
Termix' official Docker image contains an authentication bypass vulnerability
Summary
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy's IP instead of the client's IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system's stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LukeGus/Termix/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LukeGus/Termix/pull/221 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59951",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:33:33.661457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:33:37.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Termix",
"vendor": "LukeGus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy\u0027s IP instead of the client\u0027s IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system\u0027s stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T21:52:01.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94"
},
{
"name": "https://github.com/LukeGus/Termix/pull/221",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LukeGus/Termix/pull/221"
}
],
"source": {
"advisory": "GHSA-92cw-877q-6r94",
"discovery": "UNKNOWN"
},
"title": "Termix\u0027 official Docker image contains an authentication bypass vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59951",
"datePublished": "2025-10-01T21:52:01.232Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-10-06T18:33:37.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}