CVE-2026-45746

9.0 CRITICAL

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities

Published: 2026-06-05 · Last updated: 2026-06-09

Severity and scoring

CVSS: 9.0 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-284, CWE-639

Affected products

Vendor	Product
termix	termix

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45746
[Vendor advisory]https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8
[Vendor advisory]https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8

Related CVEs

Same vendor

CVE-2026-45750 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.0 CRITICAL)
CVE-2026-45749 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (8.1 HIGH)
CVE-2026-45748 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.8 CRITICAL)
CVE-2026-45745 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (8.0 HIGH)
CVE-2026-45744 — Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities (9.9 CRITICAL)

Same CWE

CVE-2026-46695 — Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (10.0 CRITICAL)
CVE-2026-44692 — Sharp is a content management framework built for Laravel as a package (7.7 HIGH)
CVE-2026-50564 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (9.9 CRITICAL)
CVE-2026-50563 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (9.9 CRITICAL)
CVE-2026-50545 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (9.9 CRITICAL)