Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
Published: 2026-06-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Termix is a web‑based server management platform that provides SSH terminal and tunneling features. A flaw in the POST /ssh/tunnel/connect endpoint allows a user to inject arbitrary content into host record fields which are directly placed into a shell command. This enables a remote attacker to execute any OS command on the host that Termix connects to via SSH, compromising confidentiality, integrity, and availability of that host.

Affected Systems

The vulnerability affects Termix version 2.3.1 and earlier. Termix versions prior to 2.3.2 are vulnerable. The attack escalates from the web application to the underlying SSH host.

Risk and Exploitability

The CVSS score of 9.8 demonstrates a high severity, and the EPSS score is unavailable. The vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is through the web interface’s tunnel creation endpoint, permitting persistent command injection on the source SSH host.

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the termix‑2.3.2 update immediately
  • Disable SSH tunnel creation functionality until the fix is applied
  • Audit SSH configuration and logs for signs of exploitation

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
Title Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T18:00:26.211Z

Reserved: 2026-05-13T06:54:34.220Z

Link: CVE-2026-45748

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T18:17:31.000

Modified: 2026-06-05T19:00:25.007

Link: CVE-2026-45748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T19:45:03Z

Weaknesses