CVE-2026-22804 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Termix web-based server management platform, specifically within the File Manager component's file preview functionality. Termix versions from 1.7.0 up to but not including 1.10.0 fail to sanitize SVG file content before rendering it in the user interface. This improper input validation allows an attacker who has already compromised a managed SSH server to upload or plant a malicious SVG file containing embedded JavaScript payloads. When a Termix user previews this file, the malicious script executes within the context of the Termix application, potentially allowing session hijacking, credential theft, or further lateral movement within the environment. The vulnerability is categorized under CWE-269 (Improper Privilege Management) and CWE-79 (Cross-Site Scripting). The CVSS v3.1 score is 8.0 (high), reflecting network attack vector, high impact on confidentiality and integrity, no privileges required, but user interaction is necessary. The scope is changed as the vulnerability affects the application and potentially other components relying on it. Although no known exploits are currently in the wild, the risk is significant due to the ease of exploitation once an attacker has server access. The issue is fixed in Termix version 1.10.0 by properly sanitizing SVG content before rendering. The vulnerability resides in the source file src/ui/desktop/apps/file-manager/components/FileViewer.tsx, indicating a frontend rendering flaw. This vulnerability highlights the risks of insufficient input validation in web-based management tools that integrate file handling and preview features.

For European organizations, this vulnerability poses a significant risk especially for those using Termix to manage SSH servers in critical infrastructure, finance, healthcare, or government sectors. Successful exploitation can lead to session hijacking, unauthorized access to sensitive management consoles, and potential lateral movement within networks. The ability to execute arbitrary JavaScript in the context of the management platform could allow attackers to steal credentials, manipulate configurations, or deploy further malware. Given the network attack vector and the requirement for user interaction, phishing or social engineering could facilitate exploitation. The impact on confidentiality and integrity is high, potentially leading to data breaches or operational disruptions. Organizations relying on Termix for centralized server management may face increased risk of compromise if they have not updated to the patched version. Additionally, the vulnerability could undermine trust in web-based management tools and complicate compliance with EU data protection regulations such as GDPR if exploited to exfiltrate personal data.

The primary mitigation is to upgrade all Termix instances to version 1.10.0 or later, where the vulnerability has been fixed by proper SVG content sanitization. Until patching is possible, organizations should restrict or disable the file preview functionality within Termix, especially for SVG files, to prevent execution of malicious scripts. Implementing Web Application Firewall (WAF) rules to detect and block malicious SVG payloads can provide an additional layer of defense. Network segmentation and strict access controls should limit who can upload files to managed SSH servers to reduce the risk of planting malicious files. Monitoring and alerting on unusual file uploads or preview activity can help detect exploitation attempts. Educating users about the risk of previewing untrusted files and enforcing the principle of least privilege for Termix users will also reduce exposure. Finally, organizations should review and harden their SSH server security posture to prevent initial compromise, as the vulnerability requires prior access to the managed server.