Unauthenticated Remote Code Execution Vulnerability in Hermes WebUI
CVE-2026-58123

9.3CRITICAL

Key Information:

Vendor

Nesquena

Vendor
CVE Published:
9 July 2026

What is CVE-2026-58123?

The Hermes WebUI before version 0.51.788 is susceptible to an unauthenticated remote code execution vulnerability. This flaw enables remote attackers to execute arbitrary shell commands by exploiting the embedded terminal API endpoints without requiring any user credentials. By creating a session and utilizing a PTY shell, attackers can issue arbitrary commands through the terminal input endpoint, thereby achieving full command execution as the server process's user through a series of four unauthenticated HTTP requests. This presents a significant security threat, allowing unauthorized users to gain control over the affected system.

Affected Version(s)

hermes-webui 0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Katriel Moses
VulnCheck
.