Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report any vulnerabilities to GitHub Security.

Remote Code Execution via SSH Tunnel Forward Command Injection
GHSA-xmjh-8cc2-qm49 published May 31, 2026 by ZacharyZcR

Critical
File-Manager Session Hijack via Missing Ownership Check (IDOR)
GHSA-5fqh-77cr-jj5x published May 31, 2026 by ZacharyZcR

High
TOTP two-factor authentication can be disabled or bypassed using only the account password
GHSA-wqfw-rqj7-fv9m published May 31, 2026 by ZacharyZcR

High
Authenticated users can access bcrypt password hashes of all users via /users/list
GHSA-ccm8-q457-6vjj published May 31, 2026 by ZacharyZcR

High
OS Command Injection in File Manager resolvePath endpoint
GHSA-37f4-wq95-pg33 published May 31, 2026 by ZacharyZcR

Critical
Arbitrary Command Execution in File Manager
GHSA-v26q-rpv5-9m72 published May 31, 2026 by ZacharyZcR

Critical
Arbitrary Command Execution via Session Hijacking
GHSA-cx2r-843c-vww8 published May 31, 2026 by ZacharyZcR

Critical
OS Command Injection in Docker Container Management Endpoints
GHSA-c2g2-hqgq-6w9v published Apr 22, 2026 by LukeGus

Critical
Pending-TOTP temporary token can regenerate backup codes and neutralize TOTP
GHSA-vx59-rf9w-9jv8 published Apr 22, 2026 by LukeGus

High
Improper certificate validation in Electron desktop client enables MITM credential/token theft
GHSA-r9gw-3w87-mhh7 published May 12, 2026 by LukeGus

High

Learn more about advisories related to Termix-SSH/Termix in the GitHub Advisory Database