CVE-2026-42075HIGH 8.1EPSS p42.5%

CVE-2026-42075CVE-2026-42075

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.5% · 2026-06-18T12:00:27Z
Published2026-05-04
Last modified2026-05-07

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/EvoMap/evolver/releases/tag/v1.69.3
  2. https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j
  3. https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42076
CVE
CVE-2026-41863
CVE
CVE-2026-22661
CVE
CVE-2026-7302
CVE
CVE-2026-42048
CVE
CVE-2026-38950
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.