Termix is a web‑based server management platform. From versions 1.7.0 through 1.9.0 the File Manager component renders SVG files without proper sanitization, creating a stored Cross‑Site Scripting weakness. When a user previews a malicious SVG file, the embedded JavaScript executes in the context of the application. This arbitrary script execution can steal session tokens, hijack user sessions, and in the Electron environment may be used to read local files on the system running the client, effectively permitting local file inclusion. The flaw affords attackers who have already compromised a managed SSH server to plant damaging files that affect other users of the platform.

The vulnerability affects Termix, the Termix‑SSH project, specifically releases 1.7.0, 1.8.0 and 1.9.0. Users of these versions are vulnerable until the fix is deployed in the subsequent 1.10.0 release. Any deployment of these releases that allows unfiltered SVG file previewing is at risk.

With a CVSS score of 8.0 the risk is classified as high. The EPSS estimation is below 1 %, indicating a very low but non‑zero probability of exploitation at the time of this assessment. Because an attacker must first gain SSH access to the managed host so that they can upload the malicious SVG, the attack vector is not openly accessible; it requires a compromised server before the XSS can be abused. The vulnerability is not listed in CISA’s KEV catalog, suggesting there are no known public exploits as of now, yet the potential impact remains significant and warrants swift remediation.