CVE-2026-42075
Deferred Deferred - Pending Action
Path Traversal in Evolver AI Agent Engine

Publication date: 2026-05-04

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42075
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Evolver, a GEP-powered self-evolving engine for AI agents, specifically in versions prior to 1.69.3. It is a path traversal vulnerability in the skill download (fetch) command. The issue arises because the --out= flag accepts user-provided file paths without proper validation, allowing attackers to perform directory traversal attacks. This means attackers can write files to arbitrary locations on the filesystem, potentially overwriting critical system files or creating files in sensitive locations.

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to write or overwrite files anywhere on the filesystem. This can lead to the corruption or replacement of critical system files, potentially causing system instability, unauthorized code execution, or denial of service. Because the attacker can place files in sensitive locations, it may also facilitate further attacks or persistence on the affected system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Evolver to version 1.69.3 or later, where the path traversal issue in the skill download (fetch) command has been patched.

Avoid using the --out= flag with untrusted input to prevent directory traversal attacks that could overwrite critical system files or create files in sensitive locations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart