Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered XSS via Matrix messages requires PR:L (authenticated sender) and UI:R (victim must view); scope changes to victim browser session with low C/I impact.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in NousResearch hermes-agent up to 2026.5.29.2. Affected by this issue is the function MatrixAdapter._markdown_to_html of the file gateway/platforms/matrix.py of the component Matrix Adapter. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Cross-site scripting in NousResearch hermes-agent (all versions through 2026.5.29.2) stems from unsanitized markdown-to-HTML conversion in the Matrix Adapter component, allowing an authenticated remote attacker to inject malicious scripts into Matrix platform messages. When a victim views the crafted content, the injected script executes in their browser context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the attacker holds a valid authenticated low-privilege account on the targeted hermes-agent instance (PR:L - unauthenticated exploitation is not supported by the CVSS vector); (2) the hermes-agent deployment has the Matrix Adapter integration enabled, since the vulnerable function exists solely in gateway/platforms/matrix.py and is not reachable through other platform adapters; (3) a victim user must passively view the attacker-crafted message in their Matrix client (UI:P). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.0 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N) accurately characterizes this as low severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a hermes-agent instance with the Matrix Adapter enabled crafts a markdown message embedding a malicious payload - for example, an image tag with an onerror handler or a hyperlink using a javascript: URI - and sends it to a shared Matrix room or direct channel. The _markdown_to_html function renders the message without sanitization, embedding the script in the HTML output. … |
| Remediation | No official patched release has been confirmed - the upstream fix is pending review as pull request #42759 at https://github.com/NousResearch/hermes-agent/pull/42759. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hermes Agent
View allRemote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands
Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the
Path traversal in NousResearch hermes-agent through version 2026.4.16 allows remote unauthenticated attackers to bypass
Remote sandbox escape in NousResearch hermes-agent versions up to 2026.4.16 allows unauthenticated attackers to manipula
Remote code/prompt injection in NousResearch Hermes Agent through 0.12.0 stems from improper neutralization in the _comp
Remote injection in NousResearch Hermes Agent through version 2026.4.30 allows unauthenticated attackers to manipulate t
Code injection in NousResearch hermes-agent 2026.4.23 allows remote unauthenticated attackers to inject and execute arbi
Remote injection vulnerability in NousResearch hermes-agent versions up to 2026.4.23 enables unauthenticated attackers t
Uncontrolled resource consumption in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenti
Missing authorization in NousResearch hermes-agent versions up to 2026.4.16 allows remote attackers to bypass authentica
Information disclosure in NousResearch hermes-agent allows remote unauthenticated attackers to extract sensitive data vi
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42764
GHSA-93m6-38r7-vqmh