Which versions of hermes-agent are affected by EUVD-2026-31579?

CVE-2026-9367 is a critical remote command injection vulnerability in NousResearch hermes-agent that allows unauthenticated attackers to execute arbitrary operating system commands, potentially…

Is there a public PoC exploit available for EUVD-2026-31579?

Yes, a public proof-of-concept exploit is available for EUVD-2026-31579. Prioritise patching immediately. EPSS: 1.0%.

hermes-agent EUVD-2026-31579

Q: What is the CVSS score of EUVD-2026-31579?

EUVD-2026-31579 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.0%.

| CVE-2026-9367 MEDIUM

OS Command Injection (CWE-78)

2026-05-24 VulDB

GHSA-h9mm-g7gx-9mx6

Command Injection

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 26, 2026 - 19:52 NVD

HIGH MEDIUM

CVSS changed

May 26, 2026 - 19:52 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Analysis Generated

May 24, 2026 - 09:30 vuln.today

DescriptionNVD

A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f19488b31c6fdebbacd15d798ce7f63. This affects the function detect_dangerous_command of the file tools/approval.py of the component terminal_tool. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote command injection in NousResearch hermes-agent allows unauthenticated attackers to execute arbitrary OS commands through the terminal_tool component's approval mechanism. The vulnerability affects all versions up to commit 5157f5427f19488b31c6fdebbacd15d798ce7f63 and has publicly available exploit code demonstrating the attack. …

RemediationAI

Within 24 hours: Inventory all systems running NousResearch hermes-agent and isolate affected instances from production networks if business-critical. Within 7 days: Evaluate alternative AI agent frameworks without known critical vulnerabilities; if hermes-agent is essential, implement the compensating controls listed below and document risk acceptance. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31579 vulnerability details – vuln.today

Back

hermes-agent EUVD-2026-31579

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

hermes-agent EUVD-2026-31579

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code