CVE-2026-49959
HighCVSS 8.8Exploitation Probability (EPSS)
Elevated risk56th percentile - higher than 56% of all known CVEs
Summary
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file.
Risk Assessment
Attackers can exploit this vulnerability to gain control over the system, posing a serious security threat to the organization.
Recommendation
It is recommended to update Hermes WebUI to version 0.51.311 or later to mitigate this vulnerability.
Original NVD description (English source)
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.

