Description
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.
Published: 2026-05-04
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw in the _extractLLM() function of the Evolver engine allows an attacker to construct a curl command through string concatenation and pass it to execSync() without sanitizing input. The vulnerability enables execution of arbitrary shell commands on the host server, effectively delivering remote code execution for users who can influence the corpus parameter with shell metacharacters.

Affected Systems

The affected product is the EvoMap Evolver engine. Versions earlier than 1.69.3 are vulnerable; the issue was fixed in version 1.69.3 and later versions are not affected.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog, implying no known exploits at this time. The attack vector is remote, relying on an attacker’s ability to supply a crafted corpus parameter that contains shell metacharacters. Once exploited, the attacker can execute any command with the privileges of the running Evolver process.

Generated by OpenCVE AI on May 4, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to EvoMap Evolver version 1.69.3 or later
  • If upgrading is not immediately possible, limit exposure of the corpus input endpoint to trusted networks or roles
  • Implement input sanitization on the corpus parameter to escape or remove shell metacharacters before they reach execSync

Generated by OpenCVE AI on May 4, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Evomap
Evomap evolver
Vendors & Products Evomap
Evomap evolver

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.
Title Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Evomap Evolver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T16:48:51.446Z

Reserved: 2026-04-23T19:17:30.565Z

Link: CVE-2026-42076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:24.440

Modified: 2026-05-04T17:16:24.440

Link: CVE-2026-42076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:59Z

Weaknesses