CVE-2026-22804
Stored XSS in Termix File Manager via Unsanitized SVG Preview
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| termix | termix | From 1.7.0 (inc) to 1.9.0 (inc) |
| termix | termix | 1.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Termix to version 1.10.0 or later, where the vulnerability is fixed by sanitizing SVG file content before rendering. Until the upgrade, avoid previewing SVG files from untrusted sources in Termix. Additionally, restrict SSH server access to trusted users to prevent attackers from planting malicious SVG files. Consider enabling webSecurity in the Electron desktop version if possible to reduce impact. Monitoring and removing any suspicious SVG files from managed servers can also help mitigate risk. [1]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Termix File Manager component versions 1.7.0 to 1.9.0. The application fails to sanitize SVG file content before rendering it, allowing an attacker who has compromised a managed SSH server to plant a malicious SVG file. When a Termix user previews this file, arbitrary JavaScript executes in the application's context. In the Electron desktop version, disabled webSecurity settings increase the impact, enabling local file inclusion attacks. The vulnerability arises because SVG content is injected directly into the DOM without sanitization, allowing exploitation via crafted payloads in SVG files. [1]
How can this vulnerability impact me? :
The impact depends on the environment. In a web browser, an attacker can steal the victim's JWT token from localStorage, leading to session hijacking and full control over the Termix account. In the Electron desktop version, the vulnerability allows local file inclusion, enabling an attacker to read sensitive local files such as SSH keys and system configuration files, which can be exfiltrated. The attack requires the attacker to first compromise a managed SSH server and rely on the victim to open the malicious file. Overall, it can lead to high confidentiality and integrity breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying malicious SVG files planted on managed SSH servers and monitoring Termix users previewing such files. Since the vulnerability arises from unsanitized SVG content in the File Manager component, you can scan for SVG files containing suspicious onerror event handlers or embedded JavaScript payloads. For example, use grep or similar tools to search for 'onerror' or '<script>' tags inside SVG files in directories managed by Termix. Example command: grep -r --include='*.svg' 'onerror' /path/to/managed/ssh/server/files. Additionally, monitor Termix application logs for file previews or unusual activity. Note that detection requires access to the managed server filesystem and Termix usage logs. [1]