Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.
Published: 2026-06-05
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Termix’s File Manager component accepts a path parameter that is concatenated into a shell command executed on the server’s SSH session. Because only double quotes are escaped, command substitution syntax such as $(…) is still interpreted by the remote shell, allowing an attacker to inject arbitrary shell commands. The vulnerability is an OS Command Injection (CWE‑78) that can be triggered by a user with access to the web interface, potentially leading to full remote code execution on the host with the privileges of the SSH session.

Affected Systems

The vulnerability affects all Termix‑SSH Termix releases older than version 2.3.2, specifically 2.3.1 and earlier. Any deployment of Termix that has not applied the 2.3.2 release is susceptible.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity, and while the EPSS score is not available, the lack of a KEV listing does not reduce the risk of exploitation. The attack can be carried out remotely by sending a crafted GET request to the /ssh/file_manager/ssh/resolvePath endpoint from an authenticated session, which then executes the injected payload on the backend server.

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Termix to version 2.3.2 or later
  • If an upgrade is not possible immediately, block or restrict access to the /ssh/file_manager/ssh/resolvePath endpoint using network controls or role‑based access policies
  • Deploy a web application firewall that detects and blocks shell injection patterns in the path parameter

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.
Title Termix Vulnerable to Arbitrary Command Execution in File Manager
Weaknesses CWE-639
CWE-78
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T18:06:04.693Z

Reserved: 2026-05-13T06:54:34.221Z

Link: CVE-2026-45750

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T18:17:32.463

Modified: 2026-06-05T19:00:25.007

Link: CVE-2026-45750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T19:45:03Z

Weaknesses