What is the CVSS score of CVE-2026-42076?

CVE-2026-42076 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Evolver are affected by CVE-2026-42076?

Evolver versions before 1.69.3 contain a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems, potentially resulting in…. A patch is available.

Evolver CVE-2026-42076

EUVD-2026-27009 CRITICAL

OS Command Injection (CWE-78)

2026-05-04 GitHub_M

GHSA-j5w5-568x-rq53

RCE Command Injection

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 04, 2026 - 18:32 EUVD

Source Code Evidence Fetched

May 04, 2026 - 17:49 vuln.today

Analysis Generated

May 04, 2026 - 17:49 vuln.today

Patch released

May 04, 2026 - 17:16 nvd

Patch available

EUVD ID Assigned

May 04, 2026 - 17:15 euvd

EUVD-2026-27009

Analysis Generated

May 04, 2026 - 17:15 vuln.today

CVE Published

May 04, 2026 - 16:48 nvd

CRITICAL 9.8

DescriptionNVD

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3.

AnalysisAI

Remote code execution in Evolver versions before 1.69.3 allows unauthenticated network attackers to execute arbitrary shell commands via command injection in the _extractLLM() function. Attackers exploit unsanitized corpus parameters passed to execSync() through string concatenation in a curl command, achieving full system compromise. …

RemediationAI

Within 24 hours: Identify and inventory all Evolver deployments with versions prior to 1.69.3 and assess network exposure (prioritize internet-facing instances). Within 7 days: Implement network segmentation and access controls to restrict Evolver service to trusted networks only; monitor for suspicious curl-based command injection attempts in application logs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42076 vulnerability details – vuln.today

Back

Evolver CVE-2026-42076

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code