CVE-2026-42076: Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability
Summary
Evolver, a tool that helps AI agents improve themselves, had a command injection vulnerability (a security flaw where attackers trick the system into running unauthorized commands) in versions before 1.69.3. The flaw was in the _extractLLM() function, which built shell commands using simple string concatenation without cleaning the input first, allowing attackers to execute arbitrary commands on the server when certain input contained shell metacharacters (special characters that have meaning to the command system).
Solution / Mitigation
This issue has been patched in version 1.69.3. Users should upgrade to version 1.69.3 or later.
Vulnerability Details
9.8(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
network
low
none
none
May 4, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42076
First tracked: May 4, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 92%