Skip to main content

Hermes Agent EUVDEUVD-2026-31566

| CVE-2026-9354 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-05-24 VulDB GHSA-7pxq-5rjc-m2wr
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 26, 2026 - 19:52 NVD
6.5 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
May 24, 2026 - 05:16 vuln.today

DescriptionCVE.org

A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument format_message results in escaping of output. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.

Technical ContextAI

The vulnerability affects the Hermes Agent messaging integration layer, specifically the format_message argument handling in Slack Agent and Mattermost Agent components. This is classified as CWE-116 (Improper Encoding or Escaping of Output), indicating the agent fails to properly sanitize or escape output when formatting messages for chat platforms. The affected component (cpe:2.3:a:nousresearch:hermes-agent) processes user-controlled input and renders it to messaging platforms without adequate output encoding. This class of vulnerability typically allows attackers to inject control characters, escape sequences, or formatting directives that bypass intended message boundaries, potentially enabling data exfiltration through crafted responses or disruption of message integrity. The network attack vector suggests the vulnerability can be triggered through API endpoints or webhook handlers that process external message formatting requests.

RemediationAI

No vendor-released patch is documented at time of analysis, as the vendor did not respond to early disclosure. Until an official fix becomes available, implement the following compensating controls: Restrict network access to Hermes Agent API endpoints and webhook handlers to trusted IP ranges only, blocking untrusted external access to format_message functionality. Deploy a reverse proxy or web application firewall to inspect and sanitize format_message parameter inputs, blocking payloads containing escape sequences, control characters, or formatting directives outside expected schemas - note this may break legitimate advanced formatting features if used. Disable Slack Agent and Mattermost Agent components entirely if not operationally required, eliminating the attack surface - impact includes loss of chat platform integration capabilities. Implement strict input validation on all external message sources before passing to format_message, though effectiveness depends on understanding the specific escaping flaw. Monitor VulDB (https://vuldb.com/vuln/365317) and NousResearch project channels for vendor response or community patches. Consider migrating to alternative agent frameworks with active security maintenance if vendor remains unresponsive. Review audit logs for suspicious format_message API calls showing manipulation attempts, focusing on unusual character patterns or formatting directives.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2024-40886 HIGH
8.8 Aug 22

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the

Share

EUVD-2026-31566 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy