Home

Description

Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-09 | Updated 2026-06-10 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Any version before 0.51.311
affected

Credits

Chia Min Jun Lennon finder

References

github.com/nesquena/hermes-webui/releases/tag/v0.51.311 release-notes

github.com/nesquena/hermes-webui/pull/3776 issue-tracking

github.com/...ommit/938ac9f55b53def1eefb48c4c42dabaf9c22e99c patch

www.vulncheck.com/...bui-rce-via-git-configuration-injection third-party-advisory

cve.org (CVE-2026-49959)

nvd.nist.gov (CVE-2026-49959)

Download JSON