A vulnerability classified as critical was found in NousResearch hermes-agent up to 2026.4.16 . The affected element is an unknown function of the component Slack Agent/Mattermost Agent . The manipulation of the argument format_message results in escaping of output. This vulnerability is identified as CVE-2026-9354 . The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.