CVE-2026-58123
Hermes WebUI Unauthenticated Remote Code Execution via Terminal API
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
Hermes WebUI has an unauthenticated remote code execution vulnerability in its terminal API. Attackers can exploit this by sending sequential HTTP requests to run arbitrary commands as the server process user. This could lead to unauthorized command execution on systems running the WebUI. The relevance and exposure of