GHSA-r466-rxw4-3j9j: Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

April 22, 2026

A path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive locations.

References

github.com/EvoMap/evolver
github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j
github.com/advisories/GHSA-r466-rxw4-3j9j

Code Behaviors & Features

Detect and mitigate GHSA-r466-rxw4-3j9j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →