A vulnerability was found in NousResearch hermes-agent up to 2026.5.16. It has been classified as critical. This impacts the function extract_media of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal.

This vulnerability was named CVE-2026-14628. The attack may be initiated remotely. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.