HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45750Published Modified CNA GitHub_M

CVE-2026-45750: Termix Vulnerable to Arbitrary Command Execution in File Manager

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in Termix, a web-based server management platform. The File Manager component's resolvePath endpoint embeds a user-supplied path parameter directly into a shell command executed over an active SSH session; because only double quotes are escaped, an attacker can inject shell command substitution syntax (such as $(...)) to run arbitrary commands on the remote server. Exploitation requires network access and a low-privilege authenticated session, but no fix version has been published yet. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-45750 is available across every HarborGuard environment. Images in customer registries and CI/CD pipelines, including custom-built images that bundle Termix, are matched against this CVE within minutes of upstream feed ingestion.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.0 (Critical), with per-environment compliance policy weighting applied to prioritize routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

No fix version has been published for this CVE. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Termix web service via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege authenticated account in Termix is sufficient to reach the vulnerable endpoint and inject commands.

  • Victim interactionRequired

    A victim user must interact with the application (for example, open a crafted link or navigate to a manipulated path) for the injected command to execute in the context of their active SSH session.

  • Attack complexityDetail

    Attack complexity is low, meaning the injection is straightforward and reliable with no race conditions or special environmental prerequisites required.

Blast Radius

  • A successful attacker executes arbitrary shell commands on the remote server that Termix manages over SSH, with the privileges of the SSH session user.
  • Confidential data on the remote server, including credentials, configuration files, and application data, is readable by the attacker.
  • The attacker can write, modify, or delete files and database records on the remote server.
  • The attacker can crash running services or render the remote server unavailable by terminating processes or consuming resources.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45750 is active across all customer environments, matching any image that bundles an affected version of Termix. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically when version 2.3.2 or a later fix is released. For customers with auto-remediation enabled, that moment triggers a rebuild, a regression-test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the Termix web service to trusted source IPs only, egress filtering on the SSH session host to limit lateral movement, and disabling the File Manager feature flag if the Termix deployment supports it. Customers can configure policy weights and alert routing in HarborGuard to ensure this Critical-severity finding reaches the right team immediately.

See how HarborGuard automates this
Affected packages
  • Termix-SSH / Termix
    < 2.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
References