CVE-2026-42453 HIGH

CVE-2026-42453: Termix: Command injection in extractArchive/compressFiles via double-quote escaping bypass

Vendor Termix-Ssh
Product Termix
Weakness CWE-77
Published May 8, 2026
Last update May 11, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 11, 2026 Record updated

Related vulnerabilities

04Related CVE