CVE-2026-45750

Vulnerability

The Termix File Manager component, specifically the GET /ssh/file_manager/ssh/resolvePath endpoint, is vulnerable to command injection. Prior to version 2.3.2, the path parameter was unsafely processed and embedded into a shell command executed over an active SSH session. The vulnerability exists because only double quotes were escaped, allowing shell command substitution syntax like $(...) to be interpreted by the remote shell [2]. This affects all versions prior to 2.3.2.

Exploitation

An attacker needs to be authenticated to Termix and have access to the File Manager. The attacker sends a crafted GET request to the /ssh/file_manager/ssh/resolvePath endpoint, including a malicious payload in the path parameter, such as x$(id). If the attacker can also exploit a separate Broken Access Control issue related to sessionId, they can redirect the command execution to another user's active SSH session by using that user's sessionId [2].

Impact

Successful exploitation allows an authenticated user to execute arbitrary commands on the remote host associated with the SSH session. If the sessionId is also compromised, the impact is amplified, enabling command execution against third-party remote infrastructure within the same Termix instance, affecting other users' sessions [2].

Mitigation

Termix version 2.3.2 addresses this vulnerability. Users should update to version 2.3.2 or later. The release notes for version 2.3.2 mention numerous stability and security patches, including fixes for several security vulnerabilities [1]. No workarounds are specified, and the vulnerability is not listed as actively exploited in the wild.