High severity8.1NVD Advisory· Published May 4, 2026· Updated May 7, 2026

CVE-2026-42075

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@evomap/evolvernpm	< 1.69.3	1.69.3

Affected products

EvoMap/Evolverreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r466-rxw4-3j9jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42075ghsaADVISORY
github.com/EvoMap/evolver/releases/tag/v1.69.3nvdWEB
github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9jnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000