CVE-2026-49958EPSS p0.3%

CVE-2026-49958CVE-2026-49958

Description

Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.

Scoring

CVSS 5.0 ()
VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H
EPSS0.08% probability of exploitation · percentile 0.3% · 2026-06-18T12:00:27Z
Last modified2026-06-09

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49959
CVE
CVE-2026-49957
CVE
CVE-2026-11322
CVE
CVE-2026-6832
CVE
CVE-2026-49955
CVE
CVE-2026-49956
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.