CVE-2026-15311

Source
https://cve.org/CVERecord?id=CVE-2026-15311
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15311.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15311
Published
2026-07-09T23:45:10.318Z
Modified
2026-07-15T01:49:15.630858681Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
NousResearch hermes-agent Matrix Adapter matrix.py MatrixAdapter._markdown_to_html cross site scripting
Details

A vulnerability was identified in NousResearch hermes-agent up to 2026.5.29.2. Affected by this issue is the function MatrixAdapter.markdownto_html of the file gateway/platforms/matrix.py of the component Matrix Adapter. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

Database specific
{
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15311.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "2026.5.29.0"
                },
                {
                    "last_affected": "2026.5.29.0"
                },
                {
                    "introduced": "2026.5.29.1"
                },
                {
                    "last_affected": "2026.5.29.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/nousresearch/hermes-agent

Affected ranges

Type
GIT
Repo
https://github.com/nousresearch/hermes-agent
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2026.5.29.2"
        },
        {
            "last_affected": "2026.5.29.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2026.*
2026.5.29.2
v2026.*
v2026.5.29.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15311.json"