PatchSiren cyber security CVE debrief
CVE-2026-11322 nesquena CVE debrief
CVE-2026-11322 is a path traversal vulnerability in Hermes WebUI prior to v0.51.221. This vulnerability allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens.
- Vendor
- nesquena
- Product
- Hermes WebUI
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Users of Hermes WebUI prior to v0.51.221 should apply the patch to prevent exploitation of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch to upgrade Hermes WebUI to v0.51.221 or later.
- Restrict access to the workspace file and listing APIs to prevent exploitation.
- Monitor for suspicious activity and implement additional security measures to protect sensitive data.
Evidence notes
The vulnerability was reported by Vulncheck and is tracked under CVE-2026-11322.
Official resources
CVE-2026-11322 was published on 2026-06-04T22:16:52.283Z and modified on 2026-06-05T20:17:28.260Z.