Unauthenticated Remote Code Execution Vulnerability in Hermes WebUI
CVE-2026-58123
9.3CRITICAL
What is CVE-2026-58123?
The Hermes WebUI before version 0.51.788 is susceptible to an unauthenticated remote code execution vulnerability. This flaw enables remote attackers to execute arbitrary shell commands by exploiting the embedded terminal API endpoints without requiring any user credentials. By creating a session and utilizing a PTY shell, attackers can issue arbitrary commands through the terminal input endpoint, thereby achieving full command execution as the server process's user through a series of four unauthenticated HTTP requests. This presents a significant security threat, allowing unauthorized users to gain control over the affected system.
Affected Version(s)
hermes-webui 0
