Arbitrary File Deletion Vulnerability in Hermes WebUI by Nesquena
CVE-2026-6832

7.2HIGH

Key Information:

Vendor: Nesquena
Status: Hermes-webui
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-6832?

The Hermes WebUI software is affected by a vulnerability that permits authenticated attackers to delete files beyond the designated session directory. By leveraging unvalidated session identifiers, attackers can exploit the /api/session/delete endpoint with absolute paths or maliciously constructed path traversal inputs. This oversight allows unauthorized file deletion, which poses significant security risks as it can impact the integrity of JSON files stored on the host system. It is crucial for users of Hermes WebUI to apply the latest patches to mitigate this issue.

Affected Version(s)

hermes-webui 0

References

https://github.com/nesquena/hermes-webui/pull/409

patch

https://github.com/nesquena/hermes-webui/pull/412

https://github.com/nesquena/hermes-webui/commit/3cc5839bf...

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Chia Min Jun Lennon

CVE-2026-6832 Data

JSON