Evolver includes a skill download (fetch) command that accepts a user-controlled "--out" flag. The flag is used to specify an output file path, but the application fails to validate or canonicalise the supplied path. As a result, an attacker can supply a path containing traversal sequences such as "../". This flaw directly maps to CWE-22 (Path Traversal) and allows the writing of files to any location on the filesystem that the Evolver process can access. Overwriting critical system files or creating files in sensitive directories could lead to privilege escalation or compromise of the underlying host.

The vulnerability affects the Evolver engine distributed by EvoMap. Any installation of evolver that is older than version 1.69.3 is susceptible. The product is known as Evolver by EvoMap, and the unpatched versions include 1.69.2 and earlier releases.

The CVSS score of 8.1 classifies this issue as High severity, indicating that the flaw can have a substantial impact on confidentiality, integrity, and availability. The EPSS score is not available, so current exploitation likelihood data is lacking, but the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector, as inferred from the exploitation path described in the advisory, is local or remote execution of the fetch command with a crafted --out parameter. If an attacker can run the command with sufficient privileges, the path traversal allows arbitrary files to be written, enabling further compromise.