Command Injection Vulnerability in Termix Web-Based Server Management Platform
CVE-2026-42453

8.7HIGH

Key Information:

Vendor: Termix-ssh
Status: Termix
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42453?

Termix, a web-based server management platform, has a vulnerability in its file management operations that could allow an attacker to execute arbitrary shell commands on the remote SSH host. This issue arises from the incorrect use of double-quoted strings for command construction in the extractArchive and compressFiles endpoints within file-manager.ts. Unlike other file manager operations that employ single-quote escaping, the flawed design permits command injection via $(command) substitution. Users are advised to upgrade to version 2.1.0 to mitigate this security risk.

Affected Version(s)

Termix < 2.1.0

References

https://github.com/Termix-SSH/Termix/security/advisories/...

x_refsource_CONFIRM

https://github.com/Termix-SSH/Termix/releases/tag/release...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42453 Data

JSON

Termix-ssh

What is CVE-2026-42453?

Affected Version(s)

References

CVSS V4

Timeline