Cross-Site Scripting Vulnerability in NousResearch Hermes-Agent's Matrix Adapter
CVE-2026-15311
Key Information:
- Vendor
Nousresearch
- Status
- Vendor
- CVE Published:
- 9 July 2026
Badges
What is CVE-2026-15311?
A cross-site scripting vulnerability exists in the Matrix Adapter component of NousResearch's Hermes-Agent, specifically in the MatrixAdapter._markdown_to_html function located in the gateway/platforms/matrix.py file. This flaw allows attackers to execute scripts remotely by manipulating markdown inputs, potentially leading to unauthorized actions on behalf of users. The exploit is publicly known, and a pull request to address this issue is currently pending acceptance.
Affected Version(s)
hermes-agent 2026.5.29.0
hermes-agent 2026.5.29.1
hermes-agent 2026.5.29.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
