CVE-2026-42077
Deferred Deferred - Pending Action
Prototype Pollution in Evolver AI Engine

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42077
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a prototype pollution issue in the Evolver software, specifically in its mailbox store module before version 1.69.3. It allows attackers to inject malicious properties into JavaScript's Object.prototype by exploiting the _applyUpdate() and _updateRecord() functions. These functions use Object.assign() to merge user-controlled data without filtering out dangerous keys such as __proto__, constructor, or prototype.

Impact Analysis

The vulnerability can impact you by allowing attackers to modify the behavior of all JavaScript objects within the affected application. This can lead to unexpected behavior, potential data corruption, or escalation of privileges. According to the CVSS score, it has a moderate impact with low confidentiality and integrity impact but a high impact on availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Evolver to version 1.69.3 or later, where the prototype pollution issue in the mailbox store module has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart