CVE-2026-22804
Unknown Unknown - Not Provided
Stored XSS in Termix File Manager via Unsanitized SVG Preview

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22804
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
termix termix From 1.7.0 (inc) to 1.9.0 (inc)
termix termix 1.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade Termix to version 1.10.0 or later, where the vulnerability is fixed by sanitizing SVG file content before rendering. Until the upgrade, avoid previewing SVG files from untrusted sources in Termix. Additionally, restrict SSH server access to trusted users to prevent attackers from planting malicious SVG files. Consider enabling webSecurity in the Electron desktop version if possible to reduce impact. Monitoring and removing any suspicious SVG files from managed servers can also help mitigate risk. [1]

Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Termix File Manager component versions 1.7.0 to 1.9.0. The application fails to sanitize SVG file content before rendering it, allowing an attacker who has compromised a managed SSH server to plant a malicious SVG file. When a Termix user previews this file, arbitrary JavaScript executes in the application's context. In the Electron desktop version, disabled webSecurity settings increase the impact, enabling local file inclusion attacks. The vulnerability arises because SVG content is injected directly into the DOM without sanitization, allowing exploitation via crafted payloads in SVG files. [1]

Impact Analysis

The impact depends on the environment. In a web browser, an attacker can steal the victim's JWT token from localStorage, leading to session hijacking and full control over the Termix account. In the Electron desktop version, the vulnerability allows local file inclusion, enabling an attacker to read sensitive local files such as SSH keys and system configuration files, which can be exfiltrated. The attack requires the attacker to first compromise a managed SSH server and rely on the victim to open the malicious file. Overall, it can lead to high confidentiality and integrity breaches. [1]

Detection Guidance

Detection involves identifying malicious SVG files planted on managed SSH servers and monitoring Termix users previewing such files. Since the vulnerability arises from unsanitized SVG content in the File Manager component, you can scan for SVG files containing suspicious onerror event handlers or embedded JavaScript payloads. For example, use grep or similar tools to search for 'onerror' or '<script>' tags inside SVG files in directories managed by Termix. Example command: grep -r --include='*.svg' 'onerror' /path/to/managed/ssh/server/files. Additionally, monitor Termix application logs for file previews or unusual activity. Note that detection requires access to the managed server filesystem and Termix usage logs. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart