Evomap Evolver vulnerabilities
3 known vulnerabilities affecting evomap/evolver.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-42076P2CRITICALCVSS 9.8fixed in 1.69.32026-05-04
CVE-2026-42076 [CRITICAL] CWE-78 CVE-2026-42076: Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command inje
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling
nvd
CVE-2026-42075P3HIGHCVSS 8.1fixed in 1.69.32026-05-04
CVE-2026-42075 [HIGH] CWE-22 CVE-2026-42075: Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path travers
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite criti
nvd
CVE-2026-42077P4MEDIUMCVSS 5.2fixed in 1.69.32026-05-04
CVE-2026-42077 [MEDIUM] CWE-1321 CVE-2026-42077: Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype po
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions
nvd