Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.
Published: 2026-06-05
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Termix’s File Manager component accepts a path parameter that is concatenated into a shell command executed on the server’s SSH session. Because only double quotes are escaped, command substitution syntax such as $(…) is still interpreted by the remote shell, allowing an attacker to inject arbitrary shell commands. The vulnerability is an OS Command Injection (CWE‑78) that can be triggered by a user with access to the web interface, potentially leading to full remote code execution on the host with the privileges of the SSH session.

Affected Systems

The vulnerability affects all Termix‑SSH Termix releases older than version 2.3.2, specifically 2.3.1 and earlier. Any deployment of Termix that has not applied the 2.3.2 release is susceptible.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity, and while the EPSS score is not available, the lack of a KEV listing does not reduce the risk of exploitation. The attack can be carried out remotely by sending a crafted GET request to the /ssh/file_manager/ssh/resolvePath endpoint from an authenticated session, which then executes the injected payload on the backend server.

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Termix to version 2.3.2 or later
  • If an upgrade is not possible immediately, block or restrict access to the /ssh/file_manager/ssh/resolvePath endpoint using network controls or role‑based access policies
  • Deploy a web application firewall that detects and blocks shell injection patterns in the path parameter

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:termix:termix:*:*:*:*:*:*:*:*

Sun, 07 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Termix
Termix termix
Vendors & Products Termix
Termix termix

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.
Title Termix Vulnerable to Arbitrary Command Execution in File Manager
Weaknesses CWE-639
CWE-78
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Termix Termix
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T03:58:36.556Z

Reserved: 2026-05-13T06:54:34.221Z

Link: CVE-2026-45750

cve-icon Vulnrichment

Updated: 2026-06-08T16:09:32.356Z

cve-icon NVD

Status : Modified

Published: 2026-06-05T18:17:32.463

Modified: 2026-06-08T17:16:44.830

Link: CVE-2026-45750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:00:11Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')