Vulnerability: Stored Cross-Site Scripting (XSS) Severity: High (CVSS v3.1: 8.0/10) Affected Package: github.com/Termix-SSH/Termix Affected Versions: 1.7.0 - 1.9.0 Patched Versions: 1.10.0 CVE ID: CVE-2026-22804 Weaknesses: CWE-79, CWE-269 Key Vulnerability Details: File Manager Component: Vulnerable to Stored XSS related to SVG file rendering due to improper sanitization. Location: in the component. Attack Method: 1. Web Browser Impact: Injection Point: SVG content rendered with . Exploit Script: SVG payload containing an handler can lead to arbitrary JavaScript execution within the application. Session Hijacking: Attacker can access and access JWT tokens to fully control the user’s account. 2. Electron Desktop Application Impact: Configuration Issue: disables security protections like Same-Origin Policy. Local File Read Exploit: Attacker can use calls in JavaScript payloads to read local files (e.g., , ) and send them to a remote server. Impact: Local File Inclusion (LFI) via XSS injection escalates into unauthorized access to sensitive files. High Attack Complexity: Requires remote server compromise and creating targeted malicious files for execution.