Cyber Resilience

CVE-2026-22804

HighPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0003 8.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22804 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Termix Termix. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-22804 is a stored cross-site scripting (XSS) vulnerability affecting Termix, a web-based server management platform offering SSH terminal, tunneling, and file editing capabilities. The issue exists in versions 1.7.0 through 1.9.0 within the File Manager component, specifically in the FileViewer.tsx file located at src/ui/desktop/apps/file-manager/components/FileViewer.tsx. Termix fails to sanitize SVG file content before rendering it, enabling the injection of malicious payloads. The vulnerability is associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-269 (Improper Privilege Management), with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N).

An attacker who has compromised a managed SSH server managed by Termix can exploit this vulnerability by planting a malicious SVG file on that server. When a Termix user previews the file via the File Manager, the unsanitized SVG content executes arbitrary JavaScript in the context of the Termix web application. This grants the attacker the ability to steal session tokens, manipulate the user's view of the application, or perform other actions within the victim's browser privileges, though it requires user interaction to trigger the preview.

The GitHub Security Advisory (GHSA-m3cv-5hgp-hv35) confirms the vulnerability and states that it is fixed in Termix version 1.10.0. Security practitioners should update to 1.10.0 or later to mitigate the issue, and in the interim, avoid previewing SVG files from untrusted SSH servers or implement client-side content sanitization.

EU & UK References

Vulnerability details

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before…

more

rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS via unsanitized SVG directly enables browser session hijacking and web session cookie theft in the Termix web app.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2025-67923Shared CWE-79
CVE-2026-27655Shared CWE-79
CVE-2026-30919Shared CWE-79
CVE-2025-23883Shared CWE-79
CVE-2026-41904Shared CWE-79

Affected Assets

termix
termix
1.7.0 — 1.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering of information outputs before rendering, directly preventing the execution of malicious JavaScript in unsanitized SVG files previewed in the File Manager.

prevent

SI-10 mandates validation of information inputs such as SVG file content, blocking malicious payloads from being processed in the FileViewer component.

prevent

SI-2 ensures flaws like the SVG sanitization failure are identified and remediated, as demonstrated by the patch in Termix version 1.10.0.

References