CVE-2026-14628

Summary

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
NousResearchhermes-agent2026.5.0affected
NousResearchhermes-agent2026.5.1affected
NousResearchhermes-agent2026.5.2affected
NousResearchhermes-agent2026.5.3affected
NousResearchhermes-agent2026.5.4affected
NousResearchhermes-agent2026.5.5affected
NousResearchhermes-agent2026.5.6affected
NousResearchhermes-agent2026.5.7affected
NousResearchhermes-agent2026.5.8affected
NousResearchhermes-agent2026.5.9affected
NousResearchhermes-agent2026.5.10affected
NousResearchhermes-agent2026.5.11affected
NousResearchhermes-agent2026.5.12affected
NousResearchhermes-agent2026.5.13affected
NousResearchhermes-agent2026.5.14affected
NousResearchhermes-agent2026.5.15affected
NousResearchhermes-agent2026.5.16affected

Weaknesses

  • CWE-22: Path Traversal

References