CVE-2026-45745

8.0 HIGH

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities

Published: 2026-06-05 · Last updated: 2026-06-08

Severity and scoring

CVSS: 8.0 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-295

Affected products

Vendor	Product
termix	termix

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45745
[Vendor advisory]https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7
[Vendor advisory]https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7

Related CVEs

Same vendor

CVE-2026-45750 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.0 CRITICAL)
CVE-2026-45749 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (8.1 HIGH)
CVE-2026-45748 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.8 CRITICAL)
CVE-2026-45746 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.0 CRITICAL)
CVE-2026-45744 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.9 CRITICAL)

Same CWE

CVE-2026-41714 — Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(... (4.0 MEDIUM)
CVE-2026-42769 — Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (... (5.3 MEDIUM)
CVE-2026-50752 — A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a... (7.4 HIGH)
CVE-2026-41859 — A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client s... (7.8 HIGH)
CVE-2026-49267 — Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying t... (5.9 MEDIUM)