CVE-2026-6832

Name of the Vulnerable Software and Affected Versions Hermes WebUI (affected versions not specified)

Description An arbitrary file deletion issue exists in the '/api/session/delete' endpoint. Authenticated attackers can delete files outside the session directory by providing an absolute path or path traversal payload in the session id parameter. This occurs because unvalidated session identifiers allow the construction of paths that bypass the SESSION DIR boundary, enabling the deletion of writable JSON files on the host system.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.