CVE-2026-42077
Prototype Pollution in Evolver AI Engine
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a prototype pollution issue in the Evolver software, specifically in its mailbox store module before version 1.69.3. It allows attackers to inject malicious properties into JavaScript's Object.prototype by exploiting the _applyUpdate() and _updateRecord() functions. These functions use Object.assign() to merge user-controlled data without filtering out dangerous keys such as __proto__, constructor, or prototype.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Evolver to version 1.69.3 or later, where the prototype pollution issue in the mailbox store module has been patched.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to modify the behavior of all JavaScript objects within the affected application. This can lead to unexpected behavior, potential data corruption, or escalation of privileges. According to the CVSS score, it has a moderate impact with low confidentiality and integrity impact but a high impact on availability.