CVE-2026-22804

HIGH

Termix 1.7.0-1.9.0 - Stored Cross-Site Scripting via SVG File Preview

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-22804. PoCs published by ThemeHackers.

AI-analyzed exploit summary This repository contains a functional Proof of Concept (PoC) for CVE-2026-22804, a Stored XSS vulnerability in Termix (versions 1.7.0 to 1.9.0). The exploit leverages unsafe SVG rendering via `dangerouslySetInnerHTML` to execute arbitrary JavaScript, leading to session hijacking and local file inclusion in the Electron environment.

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.

Exploits (2)

nomisec WORKING POC 1 stars
by ThemeHackers · poc
https://github.com/ThemeHackers/CVE-2026-22804

This repository contains a functional Proof of Concept (PoC) for CVE-2026-22804, a Stored XSS vulnerability in Termix (versions 1.7.0 to 1.9.0). The exploit leverages unsafe SVG rendering via `dangerouslySetInnerHTML` to execute arbitrary JavaScript, leading to session hijacking and local file inclusion in the Electron environment.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Termix (Release 1.7.0 - 1.9.0)
Auth required
Prerequisites: Termix application running locally · SSH server accessible on localhost · Python 3 and Node.js installed · Valid user credentials for Termix
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by ThemeHackers · poc
https://gitlab.com/ThemeHackers/CVE-2026-22804

This repository contains a functional exploit for CVE-2026-22804, demonstrating a stored XSS vulnerability in Termix's File Manager component. The exploit uploads a malicious SVG file via SSH, which executes arbitrary JavaScript when rendered, leading to session hijacking and LFI in the Electron environment.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Termix (Release 1.7.0 - 1.9.0)
Auth required
Prerequisites: Termix backend and frontend running locally · SSH server accessible on localhost · Python 3 and requests library · Valid Termix user credentials or ability to register
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35

Scores

CVSS v3 8.0
EPSS 0.0017
EPSS Percentile 6.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-269 CWE-79
Status published
Products (1)
termix/termix 1.7.0 - 1.10.0
Published Jan 12, 2026
Tracked Since Feb 18, 2026