CVE-2026-45743

Source
https://cve.org/CVERecord?id=CVE-2026-45743
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45743.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45743
Aliases
  • GHSA-5fqh-77cr-jj5x
Published
2026-06-05T17:56:53.201Z
Modified
2026-07-08T08:09:38.858315481Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)
Details

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by sessionId. An authenticated attacker who knows or guesses another user's active sessionId can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45743.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/termix-ssh/termix

Affected ranges

Type
GIT
Repo
https://github.com/termix-ssh/termix
Events
Database specific
{
    "cpe": "cpe:2.3:a:termix:termix:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.2"
        },
        {
            "introduced": "2.1.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

release-2.*
release-2.1.0-tag
release-2.2.0-tag
release-2.2.1-tag

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45743.json"