CVE-2026-42076

Evolver · Evolver

The Evolver AI agent engine contains a command injection vulnerability in the _extractLLM() function, allowing unauthenticated remote code execution via unsanitized input.

Executive summary

A critical command injection vulnerability in the Evolver AI engine allows remote attackers to execute arbitrary shell commands on affected servers.

Vulnerability

The _extractLLM() function improperly handles the corpus parameter, which is concatenated into a system command and executed via execSync() without sanitization, facilitating remote code execution.

Business impact

With a CVSS score of 9.8, this vulnerability allows an attacker to gain complete control over the host server. The potential impact includes unauthorized access to sensitive AI data, system disruption, and the use of the server as a pivot point for further attacks against the internal network.

Remediation

Immediate Action: Upgrade the Evolver engine to version 1.69.3 or newer immediately to patch the command injection flaw.

Proactive Monitoring: Inspect server logs for suspicious command-line activity or unexpected shell execution patterns related to the AI engine's processing threads.

Compensating Controls: Implement strict input validation at the Web Application Firewall (WAF) level to block requests containing shell metacharacters in the corpus parameter.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the severity of command injection, immediate patching is required. Ensure all instances of the Evolver engine are updated to version 1.69.3 to prevent unauthorized server-side code execution.