VYPR

Hermes Webui

by Nesquena

Source repositories

CVEs (14)

  • CVE-2026-49973CriJun 11, 2026
    risk 0.54cvss 9.4epss 0.01

    Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on…

  • CVE-2026-49959HigJun 9, 2026
    risk 0.50cvss 8.8epss 0.01

    Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git…

  • CVE-2026-6832HigApr 21, 2026
    risk 0.46cvss 8.1epss 0.00

    Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can…

  • CVE-2026-49957HigJun 9, 2026
    risk 0.43cvss 7.7epss 0.00

    Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within…

  • CVE-2026-49956MedJun 9, 2026
    risk 0.35cvss 6.5epss 0.00

    Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions…

  • CVE-2026-11322MedJun 4, 2026
    risk 0.35cvss 6.5epss 0.00

    Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing…

  • CVE-2026-22677MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in…

  • CVE-2026-6829MedApr 21, 2026
    risk 0.34cvss 6.3epss 0.00

    nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new,…

  • CVE-2026-49955MedJun 9, 2026
    risk 0.27cvss 5.3epss 0.01

    Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST…

  • CVE-2026-49958MedJun 9, 2026
    risk 0.26cvss 5.0epss 0.00

    Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path…

  • CVE-2026-6830LowApr 21, 2026
    risk 0.14cvss 3.3epss 0.00

    nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access…

  • CVE-2026-55198Jun 17, 2026
    risk 0.00cvss epss 0.00

    Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before…

  • CVE-2026-55197Jun 17, 2026
    risk 0.00cvss epss 0.00

    Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to…

  • CVE-2026-55196Jun 17, 2026
    risk 0.00cvss epss 0.01

    Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST…