CVE-2026-42454 - Vulnerability Details

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0.

Published: 2026-05-08

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an OS command injection flaw in Termix’s Docker container management endpoints. An attacker possessing valid authentication credentials can provide a crafted containerId value that is directly inserted into shell commands executed by the ssh2.Client.exec() method on remote servers. Because no sanitization is performed, the attacker can inject arbitrary shell commands, enabling them to execute code on any managed host and gain full control of the target system, compromising confidentiality, integrity and availability of those servers.

Affected Systems

Termix‑SSH’s Termix web management platform is affected, specifically installations running any version earlier than release‑2.1.0. Versions 2.1.0 and later contain input validation that prevents unsanitized command construction, eliminating the flaw.

Risk and Exploitability

The CVSS score of 9.9 classifies this flaw as critical, indicating a very high risk. EPSS data are not available, and the vulnerability is not listed in CISA’s KEV catalog, but these factors do not mitigate the severity. The likely attack vector is an authenticated HTTP or WebSocket request to the Docker container management endpoint, which the attacker can exploit to inject commands. Successful exploitation grants the attacker remote code execution on any host managed by Termix, making this vulnerability an attractive target for attackers with legitimate access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Termix-SSH

Termix

affected

Version	Status	Constraints
`< 2.1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Termix version 2.1.0 or later on all managed servers.
If an upgrade is delayed, restrict or remove authentication for the Docker management endpoints so only trusted users can invoke them, and implement custom validation to prevent unsanitized command construction.
Monitor SSH execution logs for anomalous containerId values or unexpected command patterns, and limit exposure by placing the management endpoints on a segmented VLAN or applying firewall rules until the patch is deployed.

Generated by OpenCVE AI on May 9, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00074.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag
https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v

History

Fri, 08 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0.
Title		Termix: OS Command Injection in Docker Container Management Endpoints
Weaknesses		CWE-78
References		https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T22:56:17.619Z

Updated: 2026-05-08T22:56:17.619Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42454

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T23:16:39.097

Modified: 2026-05-08T23:16:39.097

Link: CVE-2026-42454

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-09T01:00:14Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object