CVE-2026-6832

· NIST NVD ↗

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.

HIGH
CVSS severity
8.1
CVSS base score
2026-04-21
Published

CWE codes

CWE-22

Sources