CVE-2026-42076
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.
| CWE | CWE-78 |
| Vendor | evomap |
| Product | evolver |
| Published | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for evomap evolver
Be the first to know when new critical vulnerabilities affecting evomap evolver are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
EvoMap / evolver
< 1.69.3