CVE-2026-22677

Severity CVSS v4.0:
MEDIUM
Type:
CWE-22 Path Traversal
Publication date:
13/05/2026
Last modified:
26/05/2026

Description

Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.