cbcvebase.
CVE-2026-53871
published 2026-06-17

CVE-2026-53871: Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie Hermes WebUI before 0.51.368 contains an authorization bypass…

high8.6CVSS 4.0
AVNACLATNPRLUINVCHVIHVANSCNSINSAN
EPSS
0.36%
28.4th percentile
Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.

Affected

1 ranges
VendorProductVersion rangeFixed in
nesquenahermes-webui< 0.51.3680.51.368
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.