Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by softwarepub

    CVE-2026-22798 (GCVE-0-2026-22798)

    Vulnerability from nvd – Published: 2026-01-12 22:00 – Updated: 2026-01-13 19:08
    VLAI
    Title
    hermes's raw options logging may disclose secrets passed in via subcommand options argument
    Summary
    hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
    Severity
    5.9 (Medium)
    CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    References
    Impacted products
    Vendor Product Version
    softwarepub hermes Affected: >= 0.8.1, < 0.9.1
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22798",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T14:14:24.495713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T19:08:22.846Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hermes",
          "vendor": "softwarepub",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.8.1, \u003c 0.9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T22:00:30.175Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23"
        },
        {
          "name": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1"
        },
        {
          "name": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514"
        }
      ],
      "source": {
        "advisory": "GHSA-jm5j-jfrm-hm23",
        "discovery": "UNKNOWN"
      },
      "title": "hermes\u0027s raw options logging may disclose secrets passed in via subcommand options argument"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22798",
    "datePublished": "2026-01-12T22:00:30.175Z",
    "dateReserved": "2026-01-09T22:50:10.287Z",
    "dateUpdated": "2026-01-13T19:08:22.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2026-22798 (GCVE-0-2026-22798)

    Vulnerability from cvelistv5 – Published: 2026-01-12 22:00 – Updated: 2026-01-13 19:08
    VLAI
    Title
    hermes's raw options logging may disclose secrets passed in via subcommand options argument
    Summary
    hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
    Severity
    5.9 (Medium)
    CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    References
    Impacted products
    Vendor Product Version
    softwarepub hermes Affected: >= 0.8.1, < 0.9.1
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22798",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T14:14:24.495713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-13T19:08:22.846Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hermes",
          "vendor": "softwarepub",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.8.1, \u003c 0.9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T22:00:30.175Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23"
        },
        {
          "name": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1"
        },
        {
          "name": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514"
        }
      ],
      "source": {
        "advisory": "GHSA-jm5j-jfrm-hm23",
        "discovery": "UNKNOWN"
      },
      "title": "hermes\u0027s raw options logging may disclose secrets passed in via subcommand options argument"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22798",
    "datePublished": "2026-01-12T22:00:30.175Z",
    "dateReserved": "2026-01-09T22:50:10.287Z",
    "dateUpdated": "2026-01-13T19:08:22.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}