PatchSiren cyber security CVE debrief
CVE-2026-49959 nesquena CVE debrief
CVE-2026-49959 is a high-severity remote code execution vulnerability in Hermes WebUI versions before 0.51.311. Authenticated attackers can exploit this via Git configuration injection to execute arbitrary commands on the host running the application. The vulnerability is caused by the application's use of Git subprocess invocations in api/workspace_git.py, which can be exploited through various vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND.
- Vendor
- nesquena
- Product
- hermes-webui
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Hermes WebUI versions before 0.51.311 should apply the patch to prevent exploitation of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. It can be exploited by authenticated attackers with low privileges.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Hermes WebUI version 0.51.311 or later.
- Review and restrict access to Git configuration files in workspace repositories.
- Monitor for suspicious activity in Git subprocess invocations.
Evidence notes
Evidence for this CVE comes from Vulncheck and the National Vulnerability Database (NVD).
Official resources
CVE-2026-49959 was published on 2026-06-09T17:17:49.370Z and modified on 2026-06-09T19:36:10.547Z.