GHSA-p52p-4vmg-4vq3CriticalCVSS 9.4

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that...

Published
June 11, 2026
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

📋 Description

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.

🔗 References (7)