CVE-2026-42076
Command Injection in Evolver AI Engine
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| evomap | evolver | to 1.69.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Evolver software, specifically in the _extractLLM() function prior to version 1.69.3. The function builds a curl command by concatenating strings and then executes it using execSync() without properly sanitizing the input. Because of this, if an attacker includes shell metacharacters in the corpus parameter, they can inject and execute arbitrary shell commands on the server.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the affected server without any privileges or user interaction. This can lead to full system compromise, including unauthorized access, data theft, data modification, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Evolver to version 1.69.3 or later, where the command injection issue in the _extractLLM() function has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The command injection vulnerability in the EvoMap/evolver package allows attackers to execute arbitrary shell commands with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, malware installation, or lateral network movement.
Such impacts could result in unauthorized access to sensitive data, potentially violating data protection regulations like GDPR or HIPAA, which require strict controls to protect personal and health information.
However, the provided information does not explicitly mention compliance implications or specific effects on standards like GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection through the `corpus` parameter in the `_extractLLM()` function of the EvoMap/evolver package prior to version 1.69.3. Detection would involve identifying if the vulnerable version of the package is in use and whether the `corpus` parameter is being passed unsanitized input that could lead to command execution.
Since the vulnerability is triggered by shell metacharacters in the `corpus` parameter, one detection approach is to monitor or audit usage of the `corpus` parameter for suspicious input containing shell metacharacters such as `$()`, backticks, semicolons, or other command separators.
Specific commands to detect exploitation attempts or presence of the vulnerable package might include:
- Check the installed version of the `@evomap/evolver` npm package to confirm if it is prior to 1.69.3: `npm list @evomap/evolver`
- Search logs or network traffic for suspicious payloads containing shell metacharacters in the `corpus` parameter, for example using grep: `grep -rE '\$\(|`|;|&&' /path/to/logs`
- Monitor running processes or command executions spawned by the Node.js process for unexpected commands.
Note that no specific detection commands or signatures are provided in the available resources, so detection relies on version checking and monitoring for suspicious input patterns related to the `corpus` parameter.