CVE Catalog

CVE-2026-45744

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Summary

Termix is a web-based server management platform that was vulnerable to OS command injection in the GET /ssh/file_manager/ssh/resolvePath endpoint prior to version 2.3.2. This allows authenticated users to execute arbitrary commands on the connected remote host.

Risk Assessment

This vulnerability poses a significant security risk as any authenticated user with an active File Manager SSH session can gain full control over the remote system.

Recommendation

It is recommended to upgrade to version 2.3.2 or later to mitigate this vulnerability and secure the system against unauthorized access.

Original NVD description (English source)

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS