CVE-2026-42077: Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerabilit
mediumvulnerability
security
Summary
Evolver, a self-evolving engine for AI agents, had a prototype pollution vulnerability (a bug where attackers inject malicious properties into core JavaScript objects) in versions before 1.69.3. The flaw existed in functions that merged user data without blocking dangerous keys like __proto__ and constructor, allowing attackers to modify how all JavaScript objects behave.
Solution / Mitigation
Update to version 1.69.3, where this issue has been patched.
Vulnerability Details
CVSS Score
5.2(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Attack Vector
local
Attack Complexity
high
Privileges Required
high
User Interaction
none
Disclosure Date
May 4, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedAgent
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42077
First tracked: May 4, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%