Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
Published: 2026-06-05
Score: 9.8 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Termix is a web‑based server management platform that provides SSH terminal and tunneling features. A flaw in the POST /ssh/tunnel/connect endpoint allows a user to inject arbitrary content into host record fields which are directly placed into a shell command. This enables a remote attacker to execute any OS command on the host that Termix connects to via SSH, compromising confidentiality, integrity, and availability of that host.

Affected Systems

The vulnerability affects Termix version 2.3.1 and earlier. Termix versions prior to 2.3.2 are vulnerable. The attack escalates from the web application to the underlying SSH host.

Risk and Exploitability

The CVSS score of 9.8 demonstrates a high severity, and the EPSS score is unavailable. The vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is through the web interface’s tunnel creation endpoint, permitting persistent command injection on the source SSH host.

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the termix‑2.3.2 update immediately
  • Disable SSH tunnel creation functionality until the fix is applied
  • Audit SSH configuration and logs for signs of exploitation

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:termix:termix:*:*:*:*:*:*:*:*

Sun, 07 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Termix
Termix termix
Vendors & Products Termix
Termix termix

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
Title Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Termix Termix
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T03:58:40.973Z

Reserved: 2026-05-13T06:54:34.220Z

Link: CVE-2026-45748

cve-icon Vulnrichment

Updated: 2026-06-08T16:35:27.303Z

cve-icon NVD

Status : Modified

Published: 2026-06-05T18:17:31.000

Modified: 2026-06-08T17:16:44.697

Link: CVE-2026-45748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:00:11Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')