CVE-2026-49973 – Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

CVE ID :CVE-2026-49973

Published : June 11, 2026, 8:16 p.m. | 1 hour, 3 minutes ago

Description :Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance.

Severity: 9.4 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-47238 – ClipBucket: IDOR in videos subtitle editor

CVE-2026-45060 – ClipBucket: Blind SQL Injection in progress_video.php

CVE-2026-42846 – ClipBucket: Remote Play URL Command Injection

CVE-2026-45418 – ClipBucket: Blind SQL Injection in subtitle_edit.php