Description
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hermes WebUI prior to version 0.51.311 permits an authenticated attacker to execute arbitrary commands on the host by inserting malicious entries into the workspace repository’s .git/config file. The flaw stems from the application’s use of Git subprocess commands such as git status, git fetch, and credential helpers, which honor configuration options like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, and environment variables such as GIT_SSH_COMMAND. This leads to a command‑execution vulnerability identified as CWE‑78.

Affected Systems

The affected product is Hermes WebUI, provided by nesquena, for all releases earlier than 0.51.311. Any installation that allows users to add code to a workspace repository’s Git configuration is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity with user interaction required and network leverage. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no active exploits are publicly known at this time. The attack requires a legitimate user account with write access to a workspace repository; by crafting a malicious .git/config entry the attacker can exploit Git’s subprocess handling to run arbitrary commands on the application server. Because the flaw is triggered by internal Git configuration rather than external input, the attack surface is limited to authenticated users who can modify a repository’s configuration.

Generated by OpenCVE AI on June 9, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hermes WebUI to version 0.51.311 or newer, where the Git configuration injection flaw has been addressed.
  • If immediate upgrade is not feasible, audit all workspace repositories and delete any custom Git configuration entries from their .git/config files, ensuring no malicious commands remain.
  • Disable or restrict Git options that enable external command execution for the application, such as core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, and unset environment variables like GIT_SSH_COMMAND for the process that runs Hermes WebUI.

Generated by OpenCVE AI on June 9, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.
Title Hermes WebUI < 0.51.311 RCE via Git Configuration Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T13:50:27.809Z

Reserved: 2026-06-02T16:30:15.233Z

Link: CVE-2026-49959

cve-icon Vulnrichment

Updated: 2026-06-10T13:50:22.524Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T17:17:49.370

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-49959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:00:10Z

Weaknesses