Description

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3.

INFO

Published Date :

2026-05-04T16:50:15.167Z

Last Modified :

2026-05-06T13:40:54.808Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42077 vulnerability.

Vendors Products
Evomap
  • Evolver
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42077.

URL Resource
https://github.com/EvoMap/evolver/releases/tag/v1.69.3 cve-icon cve-icon
https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact