CVE-2026-42077

Published: May 4, 2026

Modified: May 6, 2026

PUBLISHED

CVSS v3.1

5.2

MEDIUM

Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.

Vendor	Product	Versions
EvoMap	evolver	affected `< 1.69.3`

Weaknesses (CWE)

CWE-1321

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

References

https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4

x_refsource_CONFIRM

https://github.com/EvoMap/evolver/releases/tag/v1.69.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42077

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References