CVE-2026-22798

MEDIUM EPSS 4.9%
Published Jan 12, 20265mo ago · Modified Jun 17, 20261w ago
5.0 CVSS 3.1
Medium
Find Similar
Published Jan 12, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.

CVSS Details

Base Score
5.0
Exploitability
1.3
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
4.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-532

Affected Products 1

VendorProductVersionRange
software-metadata.pubhermes*≥0.8.1  –  <0.9.1

References 3

  • github.com https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1
    Patch
  • github.com https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514
    Patch
  • github.com https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23
    PatchVendor Advisory

Remediation

  • github.com https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1
    Patch
  • github.com https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514
    Patch
  • github.com https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23
    PatchVendor Advisory