191 matches found
CVE-2026-14628
The CVE concerns NousResearch hermes-agent (up to 2026.5.16), specifically the Live Webhook Endpoint component’s gateway/platforms/base.py extract_media function. The vulnerability is a path traversal flaw that can be triggered remotely. Public exploit information exists, and CVSS metrics show a ...
EUVD-2026-41673
A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...
EUVD-2026-41672
A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter.isalloweduser of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such manipulation leads to improper authentication. The attack can b...
CVE-2026-14627
The vulnerability CVE-2026-14627 affects NousResearch hermes-agent up to 0.15.2, specifically the Discord Platform Integration’s DiscordAdapter._is_allowed_user in gateway/platforms/discord.py. The root cause is improper authentication caused by manipulation of this function, enabling a remote at...
EUVD-2026-41670
A weakness has been identified in NousResearch hermes-agent up to 2026.4.30. The impacted element is the function AIAgent.runconversation of the file runagent.py of the component HTTP API. This manipulation of the argument todos causes denial of service. The attack can be initiated remotely. The...
CVE-2026-14626
NousResearch hermes-agent (up to 2026.4.30), specifically the HTTP API component and AIAgent.run_conversation in run_agent.py, is vulnerable. The issue arises from manipulation of the todos argument, enabling remote denial of service. Public exploit is noted, and the vendor was contacted without ...
EUVD-2026-41664
A security flaw has been discovered in NousResearch hermes-agent up to 0.15.2. The affected element is the function shell.exec of the file tuigateway/server.py. The manipulation results in protection mechanism failure. It is possible to launch the attack remotely. The exploit has been released to...
CVE-2026-14625
The vulnerability CVE-2026-14625 affects NousResearch hermes-agent up to version 0.15.2. The issue lies in the shell.exec function within tui_gateway/server.py, enabling a remote attack and causing a protection mechanism failure. Public exploit appears to be available. Vendor was notified but did...
EUVD-2026-41654
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer.filterandaccumulate of the file gateway/streamconsumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case...
CVE-2026-14617
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer.filterandaccumulate of the file gateway/streamconsumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case...
CVE-2026-14617
CVE-2026-14617 affects NousResearch hermes-agent (up to 2026.4.30). The issue resides in GatewayStreamConsumer._filter_and_accumulate (gateway/stream_consumer.py) within the Streaming Reasoning Tag Filter, where improper handling of case sensitivity is reported as the underlying root cause. The v...
CVE-2026-53870
Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...
CVE-2026-53869
CVE-2026-53869 : Hermes Agent prior to 0.16.0 has a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. The FastAPI HTTP middleware is not executed for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events, ena...
PT-2026-50518
Name of the Vulnerable Software and Affected Versions Hermes Agent versions prior to 0.16.0 Description A DNS rebinding issue in WebSocket endpoints allows remote attackers to bypass Host and Origin validation. This occurs because FastAPI HTTP middleware does not execute for WebSocket upgrade...
CVE-2026-11461
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolvesessionbytitle of the file hermesstate.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotel...
EUVD-2026-34992
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolvesessionbytitle of the file hermesstate.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotel...
CVE-2026-11461
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolvesessionbytitle of the file hermesstate.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotel...
CVE-2026-11461 NousResearch hermes-agent resume Endpoint hermes_state.py resolve_session_by_title authorization
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolvesessionbytitle of the file hermesstate.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotel...
CVE-2026-11461
CVE-2026-11461 affects NousResearch Hermes-Agent up to version 0.12.0. The vulnerability is in the resume endpoint’s file hermes_state.py, in the function resolve_session_by_title, where manipulating the Title argument can bypass authorization. It allows remote exploitation, with the exploit publ...
CVE-2026-11461
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolvesessionbytitle of the file hermesstate.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotel...