EverOS is a memory runtime for agents. Prior to 1.0.1, EverOS is vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint because the per-message senderid field was not validated as a path-safe identifier, unlike appid and projectid. During user-memory extraction, senderid is used as ownerid and joined into the filesystem path where the extracted episode is persisted as a Markdown file, so a senderid containing ../ sequences could direct writes outside the configured memory root and allow an unauthenticated caller to create or overwrite .md files at locations writable by the server process with partially attacker-influenced content. This issue is fixed in version 1.0.1.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-22"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58499.json"
}