Critical severity9.8NVD Advisory· Published May 4, 2026· Updated May 7, 2026

CVE-2026-42076

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@evomap/evolvernpm	< 1.69.3	1.69.3

Affected products

EvoMap/Evolverreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-j5w5-568x-rq53ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42076ghsaADVISORY
github.com/EvoMap/evolver/releases/tag/v1.69.3nvdWEB
github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000