CVE-2026-58123 PUBLISHED

Hermes WebUI < 0.51.788 Unauthenticated RCE via Terminal API

Assigner: VulnCheck
Reserved: 29.06.2026 Published: 09.07.2026 Updated: 09.07.2026

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor nesquena
Product hermes-webui
Versions Default: affected
  • affected from 0 to 0.51.788 (excl.)

Credits

  • Katriel Moses finder
  • VulnCheck finder

References

Problem Types

  • Missing Authentication for Critical Function CWE