CVE-2026-42076

Source
https://cve.org/CVERecord?id=CVE-2026-42076
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42076.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42076
Aliases
Published
2026-05-04T16:48:51.446Z
Modified
2026-07-08T08:03:12.694912974Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
Details

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42076.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/evomap/evolver

Affected ranges

Type
GIT
Repo
https://github.com/evomap/evolver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.69.3"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.66.0
v1.67.0
v1.67.1
v1.67.2
v1.67.4
v1.67.6
v1.68.0-beta.1
v1.68.0-beta.2
v1.69.0
v1.69.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42076.json"