Skip to main content

EvoMap Evolver CVE-2026-42077

| EUVDEUVD-2026-27012 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-04 GitHub_M
5.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.2 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

7
Patch available
May 04, 2026 - 18:32 EUVD
Source Code Evidence Fetched
May 04, 2026 - 17:50 vuln.today
Analysis Generated
May 04, 2026 - 17:50 vuln.today
Patch released
May 04, 2026 - 17:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 17:15 euvd
EUVD-2026-27012
Analysis Generated
May 04, 2026 - 17:15 vuln.today
CVE Published
May 04, 2026 - 16:50 nvd
MEDIUM 5.2

DescriptionGitHub Advisory

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.

AnalysisAI

Prototype pollution in EvoMap Evolver versions prior to 1.69.3 allows local attackers with high privileges to inject malicious properties into Object.prototype via unfiltered Object.assign() calls in the mailbox store module, potentially modifying the behavior of all JavaScript objects and causing information disclosure or denial of service. The vulnerability requires file system write access to the messages.jsonl persistence file and high privileges, limiting real-world exploitability to insider or local compromise scenarios.

Technical ContextAI

The vulnerability exists in the mailbox store module (src/proxy/mailbox/store.js) where the _applyUpdate() and _updateRecord() functions use Object.assign() to merge user-controlled data from the messages.jsonl JSONL file into internal objects without sanitizing dangerous prototype-chain keys (__proto__, constructor, prototype). When a crafted JSONL entry containing __proto__ as a field key is processed during index rebuild or record updates, the unsafe merge operation pollutes the prototype chain of all JavaScript objects in the running process. This is classified as CWE-1321 (Improperly Controlled Modification of Object-prototype Attributes in JavaScript).

RemediationAI

Upgrade EvoMap Evolver to version 1.69.3 or later immediately. The patched version (1.69.3) available at https://github.com/EvoMap/evolver/releases/tag/v1.69.3 implements filtering of dangerous prototype-chain keys (__proto__, constructor, prototype) in the Object.assign() merge operations. For npm users, run 'npm install @evomap/evolver@1.69.3' or update package.json and reinstall. If immediate upgrade is not possible, restrict file system write permissions to the messages.jsonl file to users and processes that absolutely require update capability, and audit user and service account privileges on systems running Evolver to ensure only necessary accounts have write access to the mailbox persistence files.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-42077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy