CVE-2026-22804

Published: Jan 12, 2026Modified: Jan 16, 2026

4.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.6 / Impact: 2.7

Source: NVD

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.

Affected (1)

Products: Termix: Termix

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Termix Termix	From 1.7.0 to 1.10.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.