CVE-2026-45750
Modified Modified - Updated After Analysis

Command Injection in Termix File Manager via Path Parameter

Vulnerability report for CVE-2026-45750, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-07-17
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
termix termix From 2.1.0 (inc) to 2.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45750 is an arbitrary command execution vulnerability in the Termix File Manager component of the Termix-SSH/Termix application, affecting versions 2.1.0 and earlier.

The issue occurs in the GET /ssh/file_manager/ssh/resolvePath endpoint, where the user-controlled 'path' parameter is improperly sanitized before being embedded into a shell command executed over an active SSH session.

Although double quotes are escaped, shell command substitution syntax such as $(...) is not neutralized, allowing attackers to inject and execute arbitrary commands on the remote host.

Additionally, a broken access control flaw allows attackers to redirect command execution to other users' sessions by manipulating the sessionId parameter, enabling attacks against third-party remote infrastructure within the same Termix instance.

Detection Guidance

Detection of this vulnerability involves identifying if your Termix installation is running a vulnerable version (2.1.0 or earlier) and if the GET /ssh/file_manager/ssh/resolvePath endpoint is accessible.

You can check the Termix version by running commands on the server hosting Termix, such as:

  • Check the installed Termix version: termix --version or check the package version via your package manager.

To detect exploitation attempts or vulnerability presence on the network, monitor HTTP requests to the vulnerable endpoint for suspicious path parameters containing shell command substitution syntax like $(...). For example, use network monitoring tools or web server logs to search for requests matching:

  • GET /ssh/file_manager/ssh/resolvePath?path=$(...)

Additionally, you can use intrusion detection system (IDS) rules or custom scripts to flag requests with suspicious characters such as $(), backticks, or other shell metacharacters in the path parameter.

Impact Analysis

This vulnerability can have critical impacts on the confidentiality, integrity, and availability of your systems.

  • An attacker with authenticated File Manager access can execute arbitrary commands on the remote host, potentially leading to unauthorized data access or modification.
  • The broken access control issue can allow attackers to execute commands on other users' sessions, compromising third-party remote infrastructure.
  • Overall, exploitation could lead to system compromise, data breaches, service disruption, and unauthorized control over affected systems.
Compliance Impact

The vulnerability allows authenticated users to execute arbitrary commands on remote hosts via the Termix File Manager component, leading to critical impacts on confidentiality, integrity, and availability of data.

Such impacts can result in unauthorized access to sensitive information, data manipulation, and service disruption, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health data.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and failure to maintain data security.

Mitigation Strategies

The primary mitigation step is to upgrade Termix to version 2.3.2 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, consider the following temporary measures:

  • Restrict access to the Termix File Manager component, especially the /ssh/file_manager/ssh/resolvePath endpoint, to trusted users only.
  • Implement network-level controls such as firewall rules or web application firewall (WAF) rules to block requests containing suspicious shell command syntax in the path parameter.
  • Monitor logs for unusual activity targeting the vulnerable endpoint and respond promptly to any detected exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart