{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6832", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-21T21:38:22.208Z", "datePublished": "2026-04-21T21:44:55.301Z", "dateUpdated": "2026-04-21T21:44:55.301Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-21T21:44:55.301Z"}, "title": "Nesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "nesquena", "product": "hermes-webui", "versions": [{"status": "affected", "version": "0", "lessThan": "PR #409", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.</p>"}]}], "references": [{"url": "https://github.com/nesquena/hermes-webui/pull/409", "name": "Pull Request", "tags": ["patch"]}, {"url": "https://github.com/nesquena/hermes-webui/pull/412", "name": "Pull Request"}, {"url": "https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655", "name": "Patch Commit"}, {"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132", "name": "Release Notes", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32", "name": "Release Notes", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Chia Min Jun Lennon", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system."}], "id": "CVE-2026-6832", "lastModified": "2026-04-21T22:16:21.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-21T22:16:21.040", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/commit/3cc5839bf303fa6758bfdac538507407a2929655"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/pull/409"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/pull/412"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.32"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/nesquena-hermes-webui-arbitrary-file-deletion-via-unvalidated-session-id"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:19:41.037863+00:00", "value": {"mitigation_remediation": ["Update Hermes WebUI to version v0.50.132 or later, which contains the path\u2011validation fix for the /api/session/delete endpoint.", "Apply the commit 3cc5839bf303fa6758bfdac538507407a2929655 that was merged in the above release.", "Restrict access to the /api/session/delete endpoint to only trusted users or network segments, and ensure that the session_id parameter is tightly validated against the session directory boundary."], "summary": {"action": "Apply Patch", "impact": "Authenticated arbitrary file deletion"}, "threat_synthesis": {"affected_systems": "The affected product is Hermes WebUI from nesquena. No specific version information is provided in the advisory, but the patch on GitHub and the release notes for tags v0.50.132 and v0.50.32 suggest that these releases contain the fix.", "description_and_impact": "Hermes WebUI allows an attacker who has already authenticated to delete arbitrary files on the host system. The flaw resides in the /api/session/delete endpoint where the session_id parameter is not validated for path correctness, enabling absolute or traversal paths to be supplied. This permits removal of writable JSON files located outside the intended session directory, potentially destroying configuration data or other critical files. The vulnerability is a classic absolute path traversal (CWE-22) and results in loss of data integrity and availability.", "risk_and_exploitability": "The CVSS score of 7.2 places the issue in the high\u2011severity range, and while an EPSS score is not available, the lack of a KEV listing indicates no widespread, known exploitation. A successful exploit requires authenticated access to the API, so the attack is limited to users who can log in to the WebUI. Once authenticated, an attacker can craft a session_id that points to any writable file on the host, leading to file deletion. The risk remains significant for organizations that rely on Hermes WebUI for configuration or data storage."}}}}, "created": "2026-04-22T04:45:09.344292+00:00", "updated": "2026-04-22T06:30:10.669709+00:00", "vendors": []}