What is the CVSS score of CVE-2026-42077?

CVE-2026-42077 has a CVSS 3.1 base score of 5.2 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-42077?

Yes, a patch is available for CVE-2026-42077. Update the affected software to the latest version immediately.

EvoMap Evolver CVE-2026-42077

EUVD-2026-27012 MEDIUM

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-05-04 GitHub_M

Code Injection Prototype Pollution

5.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Lifecycle Timeline

Patch available

May 04, 2026 - 18:32 EUVD

Source Code Evidence Fetched

May 04, 2026 - 17:50 vuln.today

Analysis Generated

May 04, 2026 - 17:50 vuln.today

Patch released

May 04, 2026 - 17:16 nvd

Patch available

EUVD ID Assigned

May 04, 2026 - 17:15 euvd

EUVD-2026-27012

Analysis Generated

May 04, 2026 - 17:15 vuln.today

CVE Published

May 04, 2026 - 16:50 nvd

MEDIUM 5.2

DescriptionNVD

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.

AnalysisAI

Prototype pollution in EvoMap Evolver versions prior to 1.69.3 allows local attackers with high privileges to inject malicious properties into Object.prototype via unfiltered Object.assign() calls in the mailbox store module, potentially modifying the behavior of all JavaScript objects and causing information disclosure or denial of service. The vulnerability requires file system write access to the messages.jsonl persistence file and high privileges, limiting real-world exploitability to insider or local compromise scenarios.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42077 vulnerability details – vuln.today

Back

EvoMap Evolver CVE-2026-42077

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code