CVE-2026-22804

HIGH

Termix < 1.10.0 - XSS

Title source: rule

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.

Exploits (2)

nomisec WORKING POC 1 stars
by ThemeHackers · poc
https://github.com/ThemeHackers/CVE-2026-22804
gitlab WORKING POC
by ThemeHackers · poc
https://gitlab.com/ThemeHackers/CVE-2026-22804

References (1)

Scores

CVSS v3 8.0
EPSS 0.0005
EPSS Percentile 13.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Classification

CWE
CWE-269 CWE-79
Status published

Affected Products (1)

termix/termix < 1.10.0

Timeline

Published Jan 12, 2026
Tracked Since Feb 18, 2026