CVE-2026-22677 Hermes WebUI < 0.51.44 Path Traversal via Session Import Endpoint

Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace fie...