CVE-2026-42454
Received Received - Intake
Remote Code Execution in Termix via Container ID Injection

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42454
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
termix termix to 2.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Termix, a web-based server management platform. Before version 2.1.0, Termix's Docker container management endpoints directly insert the containerId parameter from the URL path and WebSocket messages into shell commands executed on remote servers without any sanitization or validation.

Because of this lack of input validation, an authenticated attacker can craft a malicious container ID that injects arbitrary operating system commands. This leads to Remote Code Execution (RCE) on any managed server.

The issue was fixed in Termix version 2.1.0.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated attacker to execute arbitrary commands on any managed server remotely.

  • Complete compromise of the affected server's confidentiality, integrity, and availability.
  • Potential unauthorized access to sensitive data stored or processed on the server.
  • Disruption of services running on the managed servers.
  • Possibility for attackers to move laterally within the network or deploy further malicious payloads.
Mitigation Strategies

The vulnerability has been patched in Termix version 2.1.0. The immediate step to mitigate this vulnerability is to upgrade Termix to version 2.1.0 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart