{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.287Z", "datePublished": "2026-01-12T22:14:03.762Z", "dateUpdated": "2026-01-13T19:07:57.276Z"}, "containers": {"cna": {"title": "Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"}], "affected": [{"vendor": "Termix-SSH", "product": "Termix", "versions": [{"version": ">= 1.7.0, < 1.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T22:14:03.762Z"}, "descriptions": [{"lang": "en", "value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0."}], "source": {"advisory": "GHSA-m3cv-5hgp-hv35", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:13:52.820529Z", "id": "CVE-2026-22804", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:07:57.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22804", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T14:13:52.820529Z"}}}], "references": [{"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:13:55.377Z"}}], "cna": {"title": "Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Session Hijacking in Browser", "source": {"advisory": "GHSA-m3cv-5hgp-hv35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Termix-SSH", "product": "Termix", "versions": [{"status": "affected", "version": ">= 1.7.0, < 1.10.0"}]}], "references": [{"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "name": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T22:14:03.762Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22804", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:07:57.276Z", "dateReserved": "2026-01-09T22:50:10.287Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T22:14:03.762Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:termix:termix:*:*:*:*:*:*:*:*", "matchCriteriaId": "912FDA87-25B4-4E18-B7E9-FC8AA0FCF398", "versionEndExcluding": "1.10.0", "versionStartIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0."}], "id": "CVE-2026-22804", "lastModified": "2026-01-16T18:37:32.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-12T23:15:53.063", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:56:04.164854+00:00", "value": {"mitigation_remediation": ["Upgrade Termix to version\u202f1.10.0 or newer, which includes the patch that sanitizes SVG content. ", "Restrict file uploads to non\u2011SVG types or disable SVG previewing in the File Manager until the patch is applied. ", "Ensure that only trusted administrators have the rights to upload files, strengthen SSH access controls with network segmentation and multi\u2011factor authentication, and regularly audit file upload activities."], "summary": {"action": "Patch", "impact": "Stored XSS enabling arbitrary JavaScript execution in Termix, allowing session hijacking and possible local file inclusion."}, "threat_synthesis": {"affected_systems": "The vulnerability affects Termix, the Termix\u2011SSH project, specifically releases 1.7.0, 1.8.0 and 1.9.0. Users of these versions are vulnerable until the fix is deployed in the subsequent 1.10.0 release. Any deployment of these releases that allows unfiltered SVG file previewing is at risk.", "description_and_impact": "Termix is a web\u2011based server management platform. From versions 1.7.0 through 1.9.0 the File Manager component renders SVG files without proper sanitization, creating a stored Cross\u2011Site Scripting weakness. When a user previews a malicious SVG file, the embedded JavaScript executes in the context of the application. This arbitrary script execution can steal session tokens, hijack user sessions, and in the Electron environment may be used to read local files on the system running the client, effectively permitting local file inclusion. The flaw affords attackers who have already compromised a managed SSH server to plant damaging files that affect other users of the platform.", "risk_and_exploitability": "With a CVSS score of 8.0 the risk is classified as high. The EPSS estimation is below 1\u202f%, indicating a very low but non\u2011zero probability of exploitation at the time of this assessment. Because an attacker must first gain SSH access to the managed host so that they can upload the malicious SVG, the attack vector is not openly accessible; it requires a compromised server before the XSS can be abused. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting there are no known public exploits as of now, yet the potential impact remains significant and warrants swift remediation."}}}}, "created": "2026-01-13T09:27:11.822632+00:00", "updated": "2026-04-18T07:00:11.352211+00:00", "vendors": ["termix", "termix$PRODUCT$termix"]}