Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Termix is a web-based server management platform that enables SSH terminal, tunneling, and file editing. A flaw in the extractArchive and compressFiles endpoints of the file manager layer was discovered: the code builds shell commands using double-quoted strings instead of single-quoted escaping, which allows command substitution such as $(command). An attacker who can invoke these endpoints can therefore inject arbitrary commands that are executed on the remote SSH host, leading to full control over the server. The weakness is an instance of CWE‑77, which describes command injection vulnerabilities.

Affected Systems

The vulnerable product is Termix managed by Termix‑SSH. All releases before version 2.1.0 are affected. Endpoints impacted are extractArchive and compressFiles in file‑manager.ts. Users running older Termix versions should upgrade to 2.1.0 or later to receive the fix.

Risk and Exploitability

The CVSS score of 8.7 ranks this issue as High severity. No EPSS data is available, so the current exploitation probability cannot be quantified. The vulnerability is not yet listed in the CISA KEV catalog. The damage is limited to those who can authenticate to the file manager and invoke the vulnerable endpoints; however, once accessed, the attacker can run arbitrary commands on the backend SSH host.

Generated by OpenCVE AI on May 9, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Termix to version 2.1.0 or later to patch the command injection flaw.
  • If a quick upgrade is not possible, limit access to the file‑manager endpoints to trusted users or restrict traffic to the application from known IP ranges.
  • Ensure that any custom code or future updates enforce strict input validation and avoid using shell string interpolation for commands; employ safe APIs or proper escaping to eliminate command injection vectors.

Generated by OpenCVE AI on May 9, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.
Title Termix: Command injection in extractArchive/compressFiles via double-quote escaping bypass
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:55:30.242Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:38.967

Modified: 2026-05-08T23:16:38.967

Link: CVE-2026-42453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:21Z

Weaknesses