CVE-2026-49956EPSS p18.8%

CVE-2026-49956CVE-2026-49956

Description

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile.

Scoring

CVSS 6.5 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS0.27% probability of exploitation · percentile 18.8% · 2026-06-18T12:00:27Z
Last modified2026-06-09

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49957
CVE
CVE-2026-49955
CVE
CVE-2026-49959
CVE
CVE-2026-49202
CVE
CVE-2026-6832
CVE
CVE-2026-11322
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.