SYS::ONLINE
Wasteland.
Briefs1145
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58123 2026-07-09

Hermes WebUI Unauthenticated RCE — CVE-2026-58123

"A critical unauthenticated remote code execution flaw in Hermes WebUI lets remote attackers run arbitrary shell commands through the embedded terminal API without any credentials."

A critical unauthenticated remote code execution flaw in Hermes WebUI lets remote attackers run arbitrary shell commands through the embedded terminal API without any credentials.

What Is It

CVE-2026-58123 is an unauthenticated remote code execution vulnerability in Hermes WebUI (vendor nesquena) affecting all versions before 0.51.788. The product exposes embedded terminal API endpoints that require no authentication. An attacker can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint; achieving full command execution as the server process user via four sequential unauthenticated HTTP requests. The weakness is classified as CWE-306 (Missing Authentication for Critical Function).

Why It Matters

The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS 4.0 secondary score of 9.3 (CRITICAL). It is exploitable over the network with low attack complexity, requires no privileges and no user interaction, and results in high impact to confidentiality, integrity, and availability. Because exploitation needs only four unauthenticated HTTP requests, it is trivially weaponizable against any exposed instance, giving attackers full command execution as the server process user.

Note: no CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.

What's Vulnerable

No affected CPEs were listed in the NVD record.

Patch Status

A fix is available in release v0.51.788. The remediation was delivered via pull request #5268 and commit d257e5f. Administrators should upgrade any Hermes WebUI instance to version 0.51.788 or later. As of the NVD publication (2026-07-09), the record is in "Received" status.

Sources