{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nousresearch/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9368"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent (\u003c= 2026.4.16)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","remote-code-execution","cve"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA remote code execution vulnerability, identified as CVE-2026-9368, exists in NousResearch hermes-agent versions up to 2026.4.16. The vulnerability resides within the \u003ccode\u003eexecute_code\u003c/code\u003e function of the \u003ccode\u003etools/code_execution_tool.py\u003c/code\u003e file, specifically affecting the Environment Variable Handler component. A publicly available exploit allows for remote attackers to bypass the intended sandbox restrictions. The vendor, NousResearch, was contacted but did not respond to the disclosure. This vulnerability poses a significant risk as it allows attackers to execute arbitrary code outside of the intended hermes-agent sandbox.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable hermes-agent instance running a version up to 2026.4.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eexecute_code\u003c/code\u003e function in \u003ccode\u003etools/code_execution_tool.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request exploits the vulnerability in the Environment Variable Handler component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to manipulate environment variables in a way that bypasses sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary code into the environment, leveraging the compromised environment variables.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecute_code\u003c/code\u003e function executes the injected code, now running outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9368 allows a remote attacker to bypass the sandbox restrictions of hermes-agent, leading to arbitrary code execution on the host system. This can result in complete system compromise, data theft, or denial of service. The vulnerability is remotely exploitable and has a publicly available exploit, increasing the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for requests targeting the \u003ccode\u003eexecute_code\u003c/code\u003e function in \u003ccode\u003etools/code_execution_tool.py\u003c/code\u003e to detect potential exploitation attempts using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for environment variables to mitigate the vulnerability in the Environment Variable Handler component.\u003c/li\u003e\n\u003cli\u003eApply network segmentation to limit the impact of a successful sandbox escape.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned by the hermes-agent process to detect potential post-exploitation activity using the Sigma rule provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:46:59Z","date_published":"2026-05-26T13:46:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9368/","summary":"A vulnerability in NousResearch hermes-agent up to version 2026.4.16 allows for remote exploitation of the execute_code function, leading to a sandbox escape.","title":"NousResearch hermes-agent Sandbox Vulnerability (CVE-2026-9368)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9368/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9367"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-9367, exists in NousResearch hermes-agent up to version 5157f5427f19488b31c6fdebbacd15d798ce7f63. The vulnerability resides within the \u003ccode\u003edetect_dangerous_command\u003c/code\u003e function located in the \u003ccode\u003etools/approval.py\u003c/code\u003e file of the \u003ccode\u003eterminal_tool\u003c/code\u003e component. This flaw enables a remote attacker to inject arbitrary operating system commands. Publicly available exploits exist, increasing the risk of exploitation. The vendor was notified about the vulnerability but has not responded. This vulnerability poses a significant risk to systems running vulnerable versions of hermes-agent, potentially allowing for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of NousResearch hermes-agent running a version up to 5157f5427f19488b31c6fdebbacd15d798ce7f63.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input designed to be processed by the \u003ccode\u003edetect_dangerous_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this crafted input to the vulnerable \u003ccode\u003eterminal_tool\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edetect_dangerous_command\u003c/code\u003e function fails to properly sanitize the input, allowing the injection of OS commands.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the system with the privileges of the hermes-agent process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, exfiltrate sensitive data, or pivot to other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9367 allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system. This can lead to a complete compromise of the system, including the theft of sensitive information, installation of malware, and potential lateral movement within the network. Given the nature of the hermes-agent as an agent, this vulnerability could potentially expose numerous systems if successfully exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates provided by NousResearch to address CVE-2026-9367.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious commands being sent to systems running hermes-agent. Deploy the provided Sigma rule \u003ccode\u003eDetect Hermes-Agent Command Injection via detect_dangerous_command\u003c/code\u003e to identify command injection attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the \u003ccode\u003edetect_dangerous_command\u003c/code\u003e function to prevent OS command injection.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions of the hermes-agent process to minimize the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:46:43Z","date_published":"2026-05-26T13:46:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hermes-agent-command-injection/","summary":"NousResearch hermes-agent up to version 5157f5427f19488b31c6fdebbacd15d798ce7f63 is vulnerable to OS command injection (CVE-2026-9367) in the `detect_dangerous_command` function allowing a remote attacker to execute arbitrary commands.","title":"NousResearch hermes-agent OS Command Injection Vulnerability (CVE-2026-9367)","url":"https://feed.craftedsignal.io/briefs/2026-05-hermes-agent-command-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9366"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent (2026.4.23)"],"_cs_severities":["high"],"_cs_tags":["cve","injection","hermes-agent"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-9366, has been discovered in NousResearch hermes-agent version 2026.4.23. This injection vulnerability resides within the _scan_context_content function located in the agent/prompt_builder.py file. The vulnerability can be exploited remotely, and publicly available exploits exist. The vendor was contacted about the disclosure but did not respond. This vulnerability matters because it allows attackers to inject malicious code into the application potentially leading to arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of NousResearch hermes-agent running version 2026.4.23.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input string designed to exploit the injection vulnerability in the \u003ccode\u003e_scan_context_content\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted input to the vulnerable function, potentially through a network request or API call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_scan_context_content\u003c/code\u003e function fails to properly neutralize special elements within the input, leading to code injection.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the context of the hermes-agent application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over parts of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9366 can allow an attacker to execute arbitrary code on the server running NousResearch hermes-agent. The affected version is 2026.4.23. Given the nature of injection vulnerabilities, it\u0026rsquo;s plausible that attackers could leverage this to gain full control over the system, potentially leading to data breaches, service disruption, or further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NousResearch hermes-agent to a patched version that addresses CVE-2026-9366 (no version available).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003e_scan_context_content\u003c/code\u003e function in \u003ccode\u003eagent/prompt_builder.py\u003c/code\u003e to prevent injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious patterns and payloads targeting the hermes-agent application.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts of CVE-2026-9366.\u003c/li\u003e\n\u003cli\u003eEnable and review application logs for anomalies related to the \u003ccode\u003e_scan_context_content\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:46:26Z","date_published":"2026-05-26T13:46:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nousresearch-injection/","summary":"A remote injection vulnerability exists in NousResearch hermes-agent 2026.4.23 within the _scan_context_content function of the agent/prompt_builder.py file, allowing attackers to inject malicious code.","title":"NousResearch hermes-agent Injection Vulnerability (CVE-2026-9366)","url":"https://feed.craftedsignal.io/briefs/2026-05-nousresearch-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9353"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent (\u003c= 2026.4.23)"],"_cs_severities":["high"],"_cs_tags":["cve","code injection","remote code execution","web application"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA security vulnerability, CVE-2026-9353, has been identified in NousResearch hermes-agent, affecting versions up to 2026.4.23. The vulnerability resides in the \u003ccode\u003eagent/skills_guard.py\u003c/code\u003e file within the Skills Guard Multi-Word Prompt Handler component. By manipulating the \u003ccode\u003eTHREAT_PATTERNS\u003c/code\u003e argument, a remote attacker can inject arbitrary code. Public disclosure of the exploit is available, increasing the risk of exploitation. The vendor was contacted regarding the vulnerability, but no response was received. This vulnerability allows for unauthenticated remote code execution, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable NousResearch hermes-agent instance running a version prior to 2026.4.23.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload designed to exploit the code injection vulnerability in the \u003ccode\u003eTHREAT_PATTERNS\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted request to the hermes-agent server, embedding the malicious payload within the \u003ccode\u003eTHREAT_PATTERNS\u003c/code\u003e argument targeting the Skills Guard Multi-Word Prompt Handler.\u003c/li\u003e\n\u003cli\u003eThe hermes-agent server processes the request, failing to properly sanitize or validate the \u003ccode\u003eTHREAT_PATTERNS\u003c/code\u003e input.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the malicious payload is injected and executed by the server.\u003c/li\u003e\n\u003cli\u003eThe injected code allows the attacker to execute arbitrary commands on the server, potentially gaining shell access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised server to perform further actions, such as data exfiltration or lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete system compromise and gains persistent access to the target environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9353 can lead to remote code execution on the affected NousResearch hermes-agent server. This could allow an attacker to gain complete control over the system, potentially leading to data breaches, service disruption, or further attacks on the internal network. Given the public availability of the exploit, the likelihood of exploitation is increased, posing a significant risk to organizations using vulnerable versions of hermes-agent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NousResearch hermes-agent to a version later than 2026.4.23 to remediate CVE-2026-9353.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-9353 Exploitation Attempt via Malicious THREAT_PATTERNS Argument\u0026rdquo; to detect potential exploitation attempts by monitoring HTTP requests for suspicious patterns.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on all user-supplied inputs to prevent code injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual activity originating from the hermes-agent server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:44:43Z","date_published":"2026-05-26T13:44:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9353/","summary":"A remote code injection vulnerability (CVE-2026-9353) exists in NousResearch hermes-agent up to version 2026.4.23, allowing attackers to inject malicious code by manipulating the THREAT_PATTERNS argument in the Skills Guard Multi-Word Prompt Handler component.","title":"NousResearch hermes-agent Remote Code Injection Vulnerability (CVE-2026-9353)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9353/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9350"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["hermes-agent (\u003c= 2026.4.16)"],"_cs_severities":["high"],"_cs_tags":["cve","authorization","hermes-agent"],"_cs_type":"advisory","_cs_vendors":["NousResearch"],"content_html":"\u003cp\u003eA missing authorization vulnerability, identified as CVE-2026-9350, affects NousResearch hermes-agent up to version 2026.4.16. The flaw resides within the \u003ccode\u003echeck_all_command_guards\u003c/code\u003e function in the \u003ccode\u003etools/approval.py\u003c/code\u003e file, a part of the Batch Runner component. Successful exploitation of this vulnerability allows remote attackers to bypass authorization checks, potentially leading to unauthorized command execution or data access. Publicly available exploit code exists, increasing the risk of exploitation. The vendor was notified but has not responded. This vulnerability was published on 2026-05-24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable hermes-agent instance running a version prior to 2026.4.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the Batch Runner component.\u003c/li\u003e\n\u003cli\u003eThe request is designed to invoke functionality that relies on the \u003ccode\u003echeck_all_command_guards\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the attacker bypasses the intended access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker executes unauthorized commands or accesses restricted data within the Batch Runner component.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to escalate privileges or gain further control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malware, exfiltrate sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9350 can lead to unauthorized access to sensitive data, execution of arbitrary commands, and potential system compromise. This can result in data breaches, service disruption, and reputational damage. The fact that the exploit is publicly available increases the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NousResearch hermes-agent to a version later than 2026.4.16 to remediate CVE-2026-9350.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious requests targeting the Batch Runner component of hermes-agent using the \u0026ldquo;Detect Suspicious Hermes-Agent Batch Runner Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Unauthorized Command Execution via Hermes-Agent\u0026rdquo; Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:44:22Z","date_published":"2026-05-26T13:44:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9350-hermes-agent-auth-bypass/","summary":"A missing authorization vulnerability (CVE-2026-9350) exists in NousResearch hermes-agent up to version 2026.4.16, affecting the `check_all_command_guards` function in `tools/approval.py` of the Batch Runner component, enabling remote attackers to bypass authorization checks.","title":"NousResearch hermes-agent Missing Authorization Vulnerability (CVE-2026-9350)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9350-hermes-agent-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — NousResearch","version":"https://jsonfeed.org/version/1.1"}