CVE-2026-9354

medium

Published 2026-05-24 · Modified 2026-05-26

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v2

6.4

VIR risk

6.5

Description

A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument format_message results in escaping of output. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://vuldb.com/vuln/365317
https://vuldb.com/vuln/365317/cti
https://vuldb.com/submit/812226
https://gist.github.com/YLChen-007/e90fb38ac03284176bae49898a3a46a4

CWEs

CWE-116 CWE-74

Verify integrity in audit chain (admin only). AS-IS.