CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-58123 — Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution v...

·Source: NIST NVD

Updated:

Executive Summary

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process

Analysis

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests. CVSS Score: 9.8. Published: 2026-07-09T22:17:09.517.

Indicators of Compromise (1)

CVE (1)
CVE-2026-58123
Source Attribution

Originally published by NIST NVD on Jul 9, 2026. Verified by: NIST.

Related Threats