CVE-2026-22677 Hermes WebUI < 0.51.44 Path Traversal via Session Import Endpoint

🗓️ 13 May 2026 19:08:02Reported by VulnCheckType

CVE-2026-22677 Hermes WebUI before 0.51.44 enables authenticated users to read arbitrary files via crafted session workspace in import.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-22677	13 May 202619:08	–	attackerkb
CNNVD	Hermes Web UI 路径遍历漏洞	13 May 202600:00	–	cnnvd
CVE	CVE-2026-22677	13 May 202619:08	–	cve
EUVD	EUVD-2026-30109	13 May 202621:32	–	euvd
NVD	CVE-2026-22677	13 May 202619:17	–	nvd
Positive Technologies	PT-2026-40774	13 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-22677	14 May 202619:58	–	redhatcve
Vulnrichment	CVE-2026-22677 Hermes WebUI < 0.51.44 Path Traversal via Session Import Endpoint	13 May 202619:08	–	vulnrichment

[
  {
    "defaultStatus": "affected",
    "vendor": "nesquena",
    "product": "hermes-webui",
    "repo": "https://github.com/nesquena/hermes-webui",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThan": "0.51.44"
      },
      {
        "status": "unaffected",
        "version": "f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3",
        "versionType": "git"
      }
    ]
  }
]

Source	Link
github	www.github.com/nesquena/hermes-webui/commit/f00cb74f776f22f02f5eb6b39dfb389f87cc7fd3
vulncheck	www.vulncheck.com/advisories/hermes-webui-path-traversal-via-session-import-endpoint
github	www.github.com/nesquena/hermes-webui/releases/tag/v0.51.44
github	www.github.com/nesquena/hermes-webui/pull/2048

26 May 2026 11:52Current

CVSS 46

CVSS 3.16.5

EPSS0.00376

CWE-22