CVE-2026-42075: Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

April 22, 2026 (updated May 4, 2026)

A path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive locations.

References

github.com/EvoMap/evolver
github.com/EvoMap/evolver/releases/tag/v1.69.3
github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j
github.com/advisories/GHSA-r466-rxw4-3j9j
nvd.nist.gov/vuln/detail/CVE-2026-42075

Code Behaviors & Features

Detect and mitigate CVE-2026-42075 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →