CVE-2026-6832
Nesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.
| CWE | CWE-22 |
| Vendor | nesquena |
| Product | hermes-webui |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for nesquena hermes-webui
Be the first to know when new high vulnerabilities affecting nesquena hermes-webui are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected Versions
nesquena / hermes-webui
0 < PR #409
References
github.com: https://github.com/nesquena/hermes-webui/pull/409 github.com: https://github.com/nesquena/hermes-webui/pull/412 github.com: https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655 github.com: https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132 github.com: https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32 vulncheck.com: https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id
Credits
Chia Min Jun Lennon