CVE-2026-45750
Command Injection in Termix File Manager via Path Parameter
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| termix | termix | to 2.3.2 (exc) |
| termix | termix | From 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45750 is an arbitrary command execution vulnerability in the Termix File Manager component of the Termix-SSH/Termix application, affecting versions 2.1.0 and earlier.
The issue occurs in the GET /ssh/file_manager/ssh/resolvePath endpoint, where the user-controlled 'path' parameter is improperly sanitized before being embedded into a shell command executed over an active SSH session.
Although double quotes are escaped, shell command substitution syntax such as $(...) is not neutralized, allowing attackers to inject and execute arbitrary commands on the remote host.
Additionally, a broken access control flaw allows attackers to redirect command execution to other users' sessions by manipulating the sessionId parameter, enabling attacks against third-party remote infrastructure within the same Termix instance.
How can this vulnerability impact me? :
This vulnerability can have critical impacts on the confidentiality, integrity, and availability of your systems.
- An attacker with authenticated File Manager access can execute arbitrary commands on the remote host, potentially leading to unauthorized data access or modification.
- The broken access control issue can allow attackers to execute commands on other users' sessions, compromising third-party remote infrastructure.
- Overall, exploitation could lead to system compromise, data breaches, service disruption, and unauthorized control over affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Termix installation is running a vulnerable version (2.1.0 or earlier) and if the GET /ssh/file_manager/ssh/resolvePath endpoint is accessible.
You can check the Termix version by running commands on the server hosting Termix, such as:
- Check the installed Termix version: termix --version or check the package version via your package manager.
To detect exploitation attempts or vulnerability presence on the network, monitor HTTP requests to the vulnerable endpoint for suspicious path parameters containing shell command substitution syntax like $(...). For example, use network monitoring tools or web server logs to search for requests matching:
- GET /ssh/file_manager/ssh/resolvePath?path=$(...)
Additionally, you can use intrusion detection system (IDS) rules or custom scripts to flag requests with suspicious characters such as $(), backticks, or other shell metacharacters in the path parameter.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Termix to version 2.3.2 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, consider the following temporary measures:
- Restrict access to the Termix File Manager component, especially the /ssh/file_manager/ssh/resolvePath endpoint, to trusted users only.
- Implement network-level controls such as firewall rules or web application firewall (WAF) rules to block requests containing suspicious shell command syntax in the path parameter.
- Monitor logs for unusual activity targeting the vulnerable endpoint and respond promptly to any detected exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to execute arbitrary commands on remote hosts via the Termix File Manager component, leading to critical impacts on confidentiality, integrity, and availability of data.
Such impacts can result in unauthorized access to sensitive information, data manipulation, and service disruption, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health data.
Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and failure to maintain data security.