CVE-2026-42076 | Evolver is a GEP-powered self-evolving engine for AI agents.… | CVSS 9.8 CRITICAL

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

Metadata

CVE ID: CVE-2026-42076
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-23 19:17 UTC
Published: 2026-05-04 16:48 UTC
Last updated: 2026-05-05 14:14 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: EvoMap / evolver
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
EvoMap	evolver	—	< 1.69.3

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53 https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53
https://github.com/EvoMap/evolver/releases/tag/v1.69.3 https://github.com/EvoMap/evolver/releases/tag/v1.69.3