Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the sessionid parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSIONDIR boundary and delete writable JSON files on the host system.
{
"cwe_ids": [
"CWE-22"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6832.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "PR #409"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"fixed": "pr #409"
}
],
"source": "CPE_FIELD"
}
],
"cna_assigner": "VulnCheck"
}{
"cpe": "cpe:2.3:a:get-hermes:hermes_web_ui:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.50.32"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}