dobby-d-elf

1 exploit Active since May 2026
CVE-2026-22677 WRITEUP MEDIUM WRITEUP
Hermes WebUI < 0.51.44 - Release T Path Traversal via Session Import Endpoint
Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.
CVSS 6.5