hermes-agent
PyPI2 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting hermes-agentpage 1 of 1
- CVE-2026-53869HIGHCVSS 7.5EG 7.5✓ Fixed in 0.16.02026-06-17
vulnerable: 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty…
- CVE-2026-53870MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.16.02026-06-17
vulnerable: 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2
Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644), exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can rea…
Check whether hermes-agent is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for hermes-agent CVEs against the assets you own.
Start Free Scan →