CVE-2026-15311 in hermes-agent
Summary
by MITRE • 07/10/2026
A vulnerability was identified in NousResearch hermes-agent up to 2026.5.29.2. Affected by this issue is the function MatrixAdapter._markdown_to_html of the file gateway/platforms/matrix.py of the component Matrix Adapter. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability resides within the NousResearch hermes-agent software version 2026.5.29.2 and earlier, specifically targeting the MatrixAdapter._markdown_to_html function located in gateway/platforms/matrix.py. The flaw represents a classic cross-site scripting vulnerability that occurs when user-supplied markdown content is improperly sanitized before being converted to HTML format for display within the matrix communication platform. This type of vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation, making it particularly dangerous in web-based messaging systems where users can inject malicious code through formatted text.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the markdown to HTML conversion process. When the MatrixAdapter processes incoming messages containing markdown formatting, it fails to properly escape or filter potentially malicious content that could include script tags, event handlers, or other XSS payloads. The remote execution capability means that attackers can craft malicious markdown content that will be processed by the vulnerable application when other users view the messages, creating a persistent threat vector within the messaging environment.
The operational impact of this vulnerability extends beyond simple data theft or disruption, as it enables attackers to execute arbitrary JavaScript code in the context of affected users' browsers. This could lead to session hijacking, credential theft, or redirection to malicious sites, particularly dangerous in enterprise environments where the hermes-agent might be used for sensitive communications. The fact that a public exploit exists and is actively being used increases the risk profile significantly, as organizations cannot rely on the vulnerability remaining unexploited.
Organizations should immediately implement mitigation strategies including input sanitization of all markdown content, deployment of content security policies to restrict script execution, and regular updates to ensure they are running patched versions of the hermes-agent software. The vulnerability aligns with ATT&CK technique T1566 which describes social engineering tactics involving malicious content delivery, and T1071.004 which covers application layer protocol usage for command and control communications. Given that the fix is pending acceptance in a pull request, immediate defensive measures should be implemented while monitoring for any exploitation attempts within network traffic logs or user activity patterns.