Skip to main content

Everos

1 CVEs product

Monthly

CVE-2026-58499 PyPI HIGH PATCH This Week

Unauthenticated arbitrary file write in EverOS, an AI-agent memory runtime by EverMind-AI, affects all versions prior to 1.0.1 via the POST /api/v1/memory/add ingestion endpoint. Because the per-message sender_id field is not sanitized as a path-safe identifier (unlike app_id and project_id), an attacker can supply ../ sequences that redirect where extracted memory episodes are written, letting a remote unauthenticated caller create or overwrite .md files outside the memory root with partially attacker-controlled content. No public exploit identified at time of analysis, and no EPSS score was provided, but the CVSS 8.2 rating and unauthenticated network reach make it a meaningful integrity risk for exposed instances.

Path Traversal Everos
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated arbitrary file write in EverOS, an AI-agent memory runtime by EverMind-AI, affects all versions prior to 1.0.1 via the POST /api/v1/memory/add ingestion endpoint. Because the per-message sender_id field is not sanitized as a path-safe identifier (unlike app_id and project_id), an attacker can supply ../ sequences that redirect where extracted memory episodes are written, letting a remote unauthenticated caller create or overwrite .md files outside the memory root with partially attacker-controlled content. No public exploit identified at time of analysis, and no EPSS score was provided, but the CVSS 8.2 rating and unauthenticated network reach make it a meaningful integrity risk for exposed instances.

Path Traversal Everos
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy